The Pointlessness of the MD5 "attacks"
Ben Laurie
ben at algroup.co.uk
Wed Dec 15 03:51:29 EST 2004
Bill Frantz wrote:
> On 12/14/04, ben at algroup.co.uk (Ben Laurie) wrote:
>
>
>> Dan Kaminsky's recent posting seems to have caused some excitement,
>> but I really can't see why. In particular, the idea of having two
>> different executables with the same checksum has attracted
>> attention.
>>
>> But the only way I can see to exploit this would be to have code
>> that did different things based on the contents of some bitmap. My
>> contention is that if the code is open, then it will be obvious
>> that it does "something bad" if a bit is tweaked, and so will be
>> suspicious, even if the "something bad" is not triggered in the
>> version seen.
>>
>> So, to exploit this successfully, you need code that cannot or will
>> not be inspected. My contention is that any such code is untrusted
>> anyway, so being able to change its behaviour on the basis of
>> embedded bitmap changes is a parlour trick. You may as well have it
>> ping a website to find out whether to misbehave.
>
>
> One scenario that might form an attack is to take code which is
> normally distributed in executable form, for example RPMs, and make
> it possible to have two different programs that pass the same
> signature check. Given that someone has arranged to have the
> doppleganger blocks generated as part of the output of the compiler,
> different binaries can later be injected into the distribution system
> without a signature verification failure.
Indeed, but what's the point? If you control the binary, just distribute
the malicious version in the first place.
People seem to be having a hard time grasping what I'm trying to say, so
perhaps I should phrase it as a challenge: find me a scenario where you
can use an MD5 collision to mount an attack in which I could not mount
an equally effective attack without using an MD5 collision.
So, for example, in the scenario above, the attacker has control of a
binary in which he can insert arbitrary content. Clearly, in his place,
I can simply distribute malware without any MD5 collisions.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list