In the events that this have happened I have directly, as diplomatically as I can be, explained that (1) MD5 is not a cipher, but a hash function that does not provide confidentiality. And (2) It is not a hash function one should use . Ever. Never. In a million years. Or more.
And at this stage start to enquire what security the customer think their system/product/service needs and try to move forward from that point. And we usually also talk about MD5 and its brokenness. Than if a secure hash function is needed, there are several good ones to choose from. And if they really don't need a secure hash function, there are others, much faster hash functions to use.
The point is that sometimes things need to be handled directly and up front. This for me is one of those things.
And at this stage start to enquire what security the customer think their system/product/service needs and try to move forward from that point. And we usually also talk about MD5 and its brokenness. Than if a secure hash function is needed, there are several good ones to choose from. And if they really don't need a secure hash function, there are others, much faster hash functions to use.
The point is that sometimes things need to be handled directly and up front. This for me is one of those things.