The Pointlessness of the MD5 "attacks"

John Kelsey kelsey.j at ix.netcom.com
Wed Dec 15 10:06:10 EST 2004 

>From: Ben Laurie <ben at algroup.co.uk>
>Sent: Dec 14, 2004 9:43 AM
>To: Cryptography <cryptography at metzdowd.com>
>Subject: The Pointlessness of the MD5 "attacks"

>Dan Kaminsky's recent posting seems to have caused some excitement, but 
>I really can't see why. In particular, the idea of having two different 
>executables with the same checksum has attracted attention.

>But the only way I can see to exploit this would be to have code that 
>did different things based on the contents of some bitmap. My contention 
>is that if the code is open, then it will be obvious that it does 
>"something bad" if a bit is tweaked, and so will be suspicious, even if 
>the "something bad" is not triggered in the version seen.

>So, to exploit this successfully, you need code that cannot or will not 
>be inspected. My contention is that any such code is untrusted anyway, 
>so being able to change its behaviour on the basis of embedded bitmap 
>changes is a parlour trick. You may as well have it ping a website to 
>find out whether to misbehave.

So, are you sure there can never be a program which allows such an exploit?  I've seen programs that had embedded components (state machines in particular) which were not easily human-readable, and had themselves been generated by computer.  And even large graphics, sound, or video sequences can really change the meaning of a program's actions in some ways; those might be susceptible to the requirements of the attack.  I agree it's hard to see how to exploit the existing MD5 collision attacks in programs that would look innocent, but I don't see what makes it *impossible*.  

Then you have data files, as Adam Back mentioned, which are often not human readable, but you'd still like to know if the signature on them is valid, or if they've been changed surreptitiously since the last time they were checked over.  

Finally, I'm very skeptical that the attacks that have been found recently are the best or only ones that can be done.
Do we have any special reason to think that there will never be a way to adapt the attack to be able to slip something plausible looking into a C program?  Once your hash function starts allowing collisions, it really just becomes a lot less valuable.  

>Cheers,
>Ben.

--John

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list