Some notes to "MD5 To Be Considered Harmful Someday" - practical uses, additional attacks
Ondrej Mikle
ondrej.mikle at gmail.com
Wed Dec 8 10:35:27 EST 2004
I've read the paper. What is stunning, that I've written similar paper
named "Practical Attacks on Digital Signatures Using MD5 Message
Digest" using very similar techniques only recently. It was submitted
to Cryptology ePrint Archive (http://eprint.iacr.org) a week ago, on
December 2nd. They will probably publish it in a day or two (I guess),
they are processing december papers right now.
The difference is that I've focused mainly on practical attacks in
software distribution channel (there is an attack scenario depicted).
The attack scenario is based on talks with a couple of
developers/packagers on how the software packaging and distribution
works.
The paper describes an example of pair of executables and data files
which have same MD5 sum, but extract different contracts. Then, there
is the idea and practical demonstration of a tool that creates custom
(self-)extract packages which can contain arbitrary files, again both
with identical MD5 sums, each extracting another one. Lastly, there is
notion how it could be made even more effective when the algorithm to
find MD5 collisions for any initialization vector is published.
Most Windows software is distributed as self-extract (self-install)
executables. In Linux world, self-extract executables are not so
common. Formats tar.gz, tar.bz2, zip and various packages (rpm, deb,
etc.) prevail. After submitting the paper we've been inspecting if
similar attack could be made on these formats. Well, definitely yes
for zip, tar.bz2 and tar.gz. The only problem was to find concurrent
collision in MD5 and CRC32, which is not that hard after all
(estimated time is approx. 320 hours using a single PC like the one on
your table, or less than one day on 16 PCs). For rpm, deb packages,
the trick is to put the colliding block somewhere in the header, where
it is not checked internally by the package manager for any checksum.
The paper, source codes, examples and attacks on zip/gzip/.../rpm/...
formats can be found at:
http://cryptography.hyperlink.cz/2004/collisions.htm
We think that these attacks could be used even today, but they are not
so hard to spot when people are aware of them.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list