The Pointlessness of the MD5 'attacks'

[Tim Dierks]

On Wed, 15 Dec 2004 08:51:29 +0000, Ben Laurie <ben at algroup.co.uk> wrote:
> People seem to be having a hard time grasping what I'm trying to say, so
> perhaps I should phrase it as a challenge: find me a scenario where you
> can use an MD5 collision to mount an attack in which I could not mount
> an equally effective attack without using an MD5 collision.

Here's an example, although I think it's a stupid one, and agree with
you that the MD5 attack, as it's currently known to work, isn't a
material problem (although it's a clear signal that one shouldn't use
MD5):

I send you a binary (say, a library for doing AES encryption) which
you test exhaustively using black-box testing. The library is known
not to link against any external APIs (in fact, perhaps it's
implemented in a language and runtime with a decent security sandbox
model, e.g., Java). You then incorporate it into your application and
sign the whole thing with MD5+RSA to vouch for its accuracy.

I incorporate several copies of a suitable MD5 collision block in my
library, so one of them will be at the correct 64-byte block boundary.
I can then modify bits inside of my library, which car checked by the
library code and cause it to change the functionality of the library,
yet the signature will still verify.

This would be pretty easy to do as a proof-of-concept, but I don't
have the time.

- Tim


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com