[16557] in cryptography@c2.net mail archive
Re: The Pointlessness of the MD5 'attacks'
daemon@ATHENA.MIT.EDU (C. Scott Ananian)
Wed Dec 22 11:15:06 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 15 Dec 2004 13:08:22 -0500 (EST)
From: "C. Scott Ananian" <cscott@cscott.net>
To: Tim Dierks <tim@dierks.org>
Cc: Ben Laurie <ben@algroup.co.uk>,
Bill Frantz <frantz@pwpconsult.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <10220.38.119.128.203.1103125517.squirrel@38.119.128.203>
On Wed, 15 Dec 2004, Tim Dierks wrote:
> Here's an example, although I think it's a stupid one, and agree with
[...]
> I send you a binary (say, a library for doing AES encryption) which
> you test exhaustively using black-box testing.
The black-box testing would obviously be the mistake. How can you tell
that the library doesn't start sending plain-text for messages which start
with a particular magic bytes, or some other evilness? You can't hope to
test *all* messages. The word 'exhaustively' is where your example goes
wrong.
I'll play Ben's part and claim that if you can provide a library which
will *only* be checked using black-box testing, it's much easier to skip
the whole MD5 aspect and have it use a covert channel (leak key bits in
padding or some such) or transmit plain-text after the first 100M of data
encrypted or some such. There are lots of easy ways to get your
maliciousness past a black-box test. The use of MD5 (a relatively
*hard* way to be malicious) doesn't appreciably change the threat.
--scott
[it should be noted that any security-conscious tester will/ought to
screen your binary for all of the *published* MD5 collisions, so
you'll have to generate one yourself if you want to get away with this.]
HTLINGUAL Hager Kennedy AEFOXTROT global action network assassinate
Register to vote! http://www.yourvotematters.org/VerifiedVoting
( http://cscott.net/ )
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
