[16554] in cryptography@c2.net mail archive
Re: The Pointlessness of the MD5 'attacks'
daemon@ATHENA.MIT.EDU (Sidney Markowitz)
Wed Dec 22 11:10:14 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 16 Dec 2004 05:58:44 +1300
From: Sidney Markowitz <sidney@sidney.com>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <10220.38.119.128.203.1103125517.squirrel@38.119.128.203>
This isn't worked out enough to be a proof of concept, but I can imagine
a piece of code that has a comment "This can't overflow because value X
computed from the magic bits table will always be between A and B. Get
0.1% speed boost by leaving out range check here but don't change magic
bits".
That doesn't even have to be so obscure. It provides a place to
introduce a security hole that will not be noticed by substituting a new
magic bits table without the protective property. Unless someone takes
their copy of the source code that has MD5 equal to the MD5 of the
sources that have been reviewed by the experts and verifies for
themselves whether their magic bits table does compute a value X between
A and B, they are vulnerable. If MD5 is trusted, there is no reason to
audit every downloaded copy of the source code like that, as long as you
are sure that someone has done the audit.
-- sidney
http://www.sidney.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
