The Pointlessness of the MD5 "attacks"

Adam Back adam at cypherspace.org
Wed Dec 15 06:24:49 EST 2004


Is this the case?  Can't we instead start with code C and malicious C'
and try to find a collision on H(C||B) == H(C'||B') after trying 2^64
B values we'll find such a collision by the birthday principle.

Now we can have people review and attest to the correctness of code C,
and then we can MITM and change surrepticiously with C'.

Adam

On Wed, Dec 15, 2004 at 08:44:03AM +0000, Ben Laurie wrote:
> Adam Back wrote:
> >Well the people doing the checking (a subset of the power users) may
> >say "I checked the source and it has this checksum", and another user
> >may download that checksum and be subject to MITM and not know it.
>
> You are missing the point - since the only way to make this trick work 
> is to include a very specific chunk of 64 bytes with a few bits flipped 
> (or not), the actual malicious code must be present anyway and triggered 
> by the flipped bits. So, all of these attacks rely on the code not being 
> inspected or being sufficiently cunning that inspection didn't help. 
> And, if that's the case, the attacks work without any MD5 trickery.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list