The Pointlessness of the MD5 "attacks"

[Bill Frantz]

On 12/14/04, ben at algroup.co.uk (Ben Laurie) wrote:

>Dan Kaminsky's recent posting seems to have caused some excitement, but 
>I really can't see why. In particular, the idea of having two different 
>executables with the same checksum has attracted attention.
>
>But the only way I can see to exploit this would be to have code that 
>did different things based on the contents of some bitmap. My contention 
>is that if the code is open, then it will be obvious that it does 
>"something bad" if a bit is tweaked, and so will be suspicious, even if 
>the "something bad" is not triggered in the version seen.
>
>So, to exploit this successfully, you need code that cannot or will not 
>be inspected. My contention is that any such code is untrusted anyway, 
>so being able to change its behaviour on the basis of embedded bitmap 
>changes is a parlour trick. You may as well have it ping a website to 
>find out whether to misbehave.

One scenario that might form an attack is to take code which is normally distributed in executable form, for example RPMs, and make it possible to have two different programs that pass the same signature check.  Given that someone has arranged to have the doppleganger blocks generated as part of the output of the compiler, different binaries can later be injected into the distribution system without a signature verification failure.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | The first thing you need when  | Periwinkle 
(408)356-8506      | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, CA 95032

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com