The Pointlessness of the MD5 "attacks"

David Wagner daw at cs.berkeley.edu
Wed Dec 15 11:35:40 EST 2004 

Ben Laurie writes:
>Dan Kaminsky's recent posting seems to have caused some excitement, but 
>I really can't see why. In particular, the idea of having two different 
>executables with the same checksum has attracted attention.
>
>But the only way I can see to exploit this would be to have code that 
>did different things based on the contents of some bitmap. My contention 
>is that if the code is open, then it will be obvious that it does 
>"something bad" if a bit is tweaked, and so will be suspicious, even if 
>the "something bad" is not triggered in the version seen.
>
>So, to exploit this successfully, you need code that cannot or will not 
>be inspected. My contention is that any such code is untrusted anyway, 
>so being able to change its behaviour on the basis of embedded bitmap 
>changes is a parlour trick. You may as well have it ping a website to 
>find out whether to misbehave.

I guess I disagree.  Imagine that the code has some block cipher with
some S-boxes hardcoded into it.  The code uses this block cipher to
decrypt an associated ciphertext and outputs (or takes some action based
on) the resulting message.  This is an example of code that could be
used to fool a MD5 checksum.  Moreover, I don't have a great deal of
confidence that even a careful code inspection would cause the code to
be considered suspicious.  Consequently, I don't have great confidence
that such an attack would be detected.

I know it is tempting to think that, look, Wang et al only found a pair
of random-looking messages that collide; they didn't claim to find a pair
of meaningful messages that collide; and maybe we can hope that there is
no way to come up with a pair of meaningful-looking colliding messages.
But I think that kind of hope is unfounded, and acting on hope is
asking for trouble.  I believe the only safe course now is to assume
that MD5's collision resistance is totally broken.  If Wang et al can
find meaningless-looking collisions today, it seems all too likely that
someone else may be able to find meaningful-looking collisions tomorrow.
Hoping that the latter will be hard even though the former is known to
be easy seems too optimistic for my tastes.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list