One comment from Colin:
>>Since it is considered extremely hard (2**64 is a very large
>>number), all you need to do in order to "prove" that MD5 is
>>broken is to present two input texts which hash to the same MD5
>>value.
>
>Which Hans Dobbertin has done, BTW. He showed them at Eurocrypt '96.
>But not for SHA.
Actually, I don't think Hans Dobbertin has done that. He's found a
collision in the compression function used by MD5 --- which is certainly
bad, but it's not the same as a collision in MD5 itself. See
http://www.ph.tn.tudelft.nl/~visser/dobbertin.txt for a sci.crypt
posting from Hans Dobbertin himself. Basically, the collision occurs if
you use a specific hash state, or IV. This hash state is not the hash
state used by MD5, and there is currently no known way of forcing a
particular hash state. I also don't believe there are (yet!) known ways
of extending his attack to work on arbitrary IV's.
- Ted