|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: cryptography@metzdowd.com X-Original-To: cryptography@metzdowd.com Date: Thu, 16 Dec 2004 10:05:41 +0000 From: Ben Laurie <ben@algroup.co.uk> To: John Kelsey <kelsey.j@ix.netcom.com> Cc: Cryptography <cryptography@metzdowd.com> In-Reply-To: <21632647.1103123170966.JavaMail.root@beaker.psp.pas.earthlink.net> John Kelsey wrote: >> So, to exploit this successfully, you need code that cannot or will >> not be inspected. My contention is that any such code is untrusted >> anyway, so being able to change its behaviour on the basis of >> embedded bitmap changes is a parlour trick. You may as well have it >> ping a website to find out whether to misbehave. > > So, are you sure there can never be a program which allows such an > exploit? I've seen programs that had embedded components (state > machines in particular) which were not easily human-readable, and had > themselves been generated by computer. And even large graphics, > sound, or video sequences can really change the meaning of a > program's actions in some ways; those might be susceptible to the > requirements of the attack. I agree it's hard to see how to exploit > the existing MD5 collision attacks in programs that would look > innocent, but I don't see what makes it *impossible*. I did not say it was impossible, I said that such exploits would work just as well without MD5 collisions. For example, if you are going to trigger on some subtle distinction such as a single bit flipped, then make that a bit in a counter, or a bit in the input stream. > Then you have data files, as Adam Back mentioned, which are often not > human readable, but you'd still like to know if the signature on them > is valid, or if they've been changed surreptitiously since the last > time they were checked over. > > Finally, I'm very skeptical that the attacks that have been found > recently are the best or only ones that can be done. Do we have any > special reason to think that there will never be a way to adapt the > attack to be able to slip something plausible looking into a C > program? Once your hash function starts allowing collisions, it > really just becomes a lot less valuable. I do not have a special reason to think anything about future attacks on MD5. I am discussing the present attacks. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |