[16550] in cryptography@c2.net mail archive
Re: The Pointlessness of the MD5 "attacks"
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Dec 15 09:53:13 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 15 Dec 2004 14:15:02 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Adam Back <adam@cypherspace.org>
Cc: Ondrej Mikle <ondrej.mikle@gmail.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <20041215112449.GA13110@bitchcake.off.net>
Adam Back wrote:
> Is this the case? Can't we instead start with code C and malicious C'
> and try to find a collision on H(C||B) == H(C'||B') after trying 2^64
> B values we'll find such a collision by the birthday principle.
Indeed, but that is not the attack suggested.
> Now we can have people review and attest to the correctness of code C,
> and then we can MITM and change surrepticiously with C'.
And with only 2^64 effort. Let me know when you're done.
>
> Adam
>
> On Wed, Dec 15, 2004 at 08:44:03AM +0000, Ben Laurie wrote:
>
>>Adam Back wrote:
>>
>>>Well the people doing the checking (a subset of the power users) may
>>>say "I checked the source and it has this checksum", and another user
>>>may download that checksum and be subject to MITM and not know it.
>>
>>You are missing the point - since the only way to make this trick work
>>is to include a very specific chunk of 64 bytes with a few bits flipped
>>(or not), the actual malicious code must be present anyway and triggered
>>by the flipped bits. So, all of these attacks rely on the code not being
>>inspected or being sufficiently cunning that inspection didn't help.
>>And, if that's the case, the attacks work without any MD5 trickery.
>
>
>
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com