The Pointlessness of the MD5 "attacks"

Ben Laurie ben at algroup.co.uk
Thu Dec 16 05:05:41 EST 2004 

John Kelsey wrote:
>> So, to exploit this successfully, you need code that cannot or will
>> not be inspected. My contention is that any such code is untrusted
>> anyway, so being able to change its behaviour on the basis of
>> embedded bitmap changes is a parlour trick. You may as well have it
>> ping a website to find out whether to misbehave.
> 
> So, are you sure there can never be a program which allows such an
> exploit?  I've seen programs that had embedded components (state
> machines in particular) which were not easily human-readable, and had
> themselves been generated by computer.  And even large graphics,
> sound, or video sequences can really change the meaning of a
> program's actions in some ways; those might be susceptible to the
> requirements of the attack.  I agree it's hard to see how to exploit
> the existing MD5 collision attacks in programs that would look
> innocent, but I don't see what makes it *impossible*.

I did not say it was impossible, I said that such exploits would work 
just as well without MD5 collisions. For example, if you are going to 
trigger on some subtle distinction such as a single bit flipped, then 
make that a bit in a counter, or a bit in the input stream.

> Then you have data files, as Adam Back mentioned, which are often not
> human readable, but you'd still like to know if the signature on them
> is valid, or if they've been changed surreptitiously since the last
> time they were checked over.
> 
> Finally, I'm very skeptical that the attacks that have been found
> recently are the best or only ones that can be done. Do we have any
> special reason to think that there will never be a way to adapt the
> attack to be able to slip something plausible looking into a C
> program?  Once your hash function starts allowing collisions, it
> really just becomes a lot less valuable.

I do not have a special reason to think anything about future attacks on 
MD5. I am discussing the present attacks.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list