How thorough are the hash breaks, anyway?

[Daniel Carosone]

On Thu, Aug 26, 2004 at 11:09:49AM -0400, Trei, Peter wrote:

> Looking over the recent work on hash collisions, one
> thing that struck me was that they all seem to be 
> attacks on known plaintext - the 'plaintexts' which
> collided were very close to each other,  varying in 
> only a few bits. 

Yep, so far.. but lets assume for the moment that's as far as they
will go, however nervous it makes us about future extension of the
break.

> It allows you (if you're fortunate) to modify a signed
> message and have the signature still check out. 
> However, if you don't know the original plaintext
> it does not seem to allow you construct a second
> message with the same hash.

True. Even if you know the plaintext, many of the messages you might
want to tamper with have some sort of internal consistency constraints
(structured file formats, executable code for a particular
architecture, etc) that limit the possibilities of a useful attack.

There is one application of hashes, however, that fits these
limitations very closely and has me particularly worried:
certificates.  The public key data is public, and it's a "random"
bitpattern where nobody would ever notice a few different bits.

If someone finds a collision for microsoft's windows update cert (or a
number of other possibilities), and the fan is well and truly buried
in it.

--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20040827/ca34548a/attachment.pgp>