[144778] in cryptography@c2.net mail archive
Re: Certainty
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Aug 25 19:49:40 2009
From: "Perry E. Metzger" <perry@piermont.com>
To: hal@finney.org ("Hal Finney")
Cc: cryptography@metzdowd.com
Date: Tue, 25 Aug 2009 17:17:14 -0400
In-Reply-To: <20090825173609.6663214F6E1@finney.org> (Hal Finney's message of
	"Tue, 25 Aug 2009 10:36:09 -0700 (PDT)")
hal@finney.org ("Hal Finney") writes:
> Paul Hoffman wrote:
>> Getting a straight answer on whether or not the recent preimage work
>> is actually related to the earlier collision work would be useful.
[...]
> There was an amusing demo at the rump session though of a different
> kind of preimage technique which does depend directly on collisions. It
> uses the Merkle-Damgard structure of MD5 and creates lots of blocks that
> collide (possibly with different prefixes, I didn't look at it closely).
> Then they were able to show a second preimage attack on a chosen message.
>
> That is, they could create a message and have a signer sign it using MD5.
> Then they could create more messages at will that had the same MD5 hash.
> In this demo, the messages started with text that said, "Dear so-and-so"
> and then had more readable text, followed by binary data. They were able
> to change the person's name in the first line to that of a volunteer
> from the audience, then modify the binary data and create a new version
> of the message with the same MD5 hash, in just a second or two! Very
> amusing demo.
That was the "restricted preimage" attack that I earlier mentioned
seeing in the video of the rump session. It isn't fully general, but it
is certainly disturbing.
As we're often fond of saying, attacks only get better with time, they
never roll back.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com