home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: cryptography@metzdowd.com X-Original-To: cryptography@metzdowd.com Date: Wed, 05 Jan 2005 11:23:52 +0000 From: Ben Laurie <ben@algroup.co.uk> To: "C. Scott Ananian" <cscott@cscott.net> Cc: John Kelsey <kelsey.j@ix.netcom.com>, David Wagner <daw@cs.berkeley.edu>, cryptography@metzdowd.com In-Reply-To: <Pine.LNX.4.61.0501041853380.29484@cag.csail.mit.edu> C. Scott Ananian wrote: > On Wed, 22 Dec 2004, Ben Laurie wrote: > >> Blimey. Finally. An attack I can actually believe in. Excellent. >> D131DD02C5E6EEC4693D9A0698AFF95C2FCAB58712467EAB4004583EB8FB7F8955AD340609F4B30283E488832571415A085125E8F7CDC99FD91DBDF280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E2B487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080A80D1EC69821BCB6A8839396F9652B6FF72A700000000000000000000000000000001B >> is prime >> D131DD02C5E6EEC4693D9A0698AFF95C2FCAB50712467EAB4004583EB8FB7F8955AD340609F4B30283E4888325F1415A085125E8F7CDC99FD91DBD7280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E23487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080280D1EC69821BCB6A8839396F965AB6FF72A700000000000000000000000000000001B >> is not prime >> both have MD5 b4b12dc7ec1b9422f6596d2a863d7900. > > > It's worth noting that the *currently known* MD5 collisions are very > limited in number and form. Anyone who did not screen their binaries > for these would be a fool. It was my understanding that they are very easy to generate. Are you scanning your binaries? Do you have a complete list? > When more details emerge about the collision-generation technique, we'll > be able to see if the MD5 collisions remain "weak keys" which we can > efficiently check a binary for, or become general enough that it's > impossible to rule out a collision in our binary material. > > But since Ben began this discussion by concentrating only on > *currently-known* weaknesses in MD5, I would have to argue that this > particular weakness, although possible to "actually believe in", is > pretty trivial to avoid. In fact, I'd argue strongly that any "security > review" that neglected to notice a known MD5 collision in the key primes > (in addition to checking that they are really prime, etc) would be > incompetent. Given that we know (for some value of "know") that these collisions can be generated with trivial amounts of work, but do not know how to detect them (yet), I wouldn't agree with this. What would be incompetent would be to rely on an MD5 hash. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |