The Pointlessness of the MD5 "attacks"

Ben Laurie ben at algroup.co.uk
Thu Dec 16 05:24:55 EST 2004 

Jay Sulzberger wrote:
> On Tue, 14 Dec 2004, Ben Laurie wrote:
>> Ondrej Mikle wrote:

[snipped many assertions without supporting evidence that MD5 cracks 
improve attacks]

>>>> So, to exploit this successfully, you need code that cannot or will not
>>>> be inspected. My contention is that any such code is untrusted anyway,
>>>> so being able to change its behaviour on the basis of embedded bitmap
>>>> changes is a parlour trick.
>>>
>>> That's true in theory, but it's different in real world. Take
>>> Microsoft software as an example. Many banks use their software (and
>>> sometimes even military). I don't think that all of them reviewed
>>> Microsoft's source code (I guess only a few, if any at all). There was
>>> an incident of a worm attacking ATMs.
>>
>> No, and they are therefore vulnerable to Microsoft. Note that MD5 is 
>> not required for Microsoft to attack them.
> 
> Again, the MD5 crack helps.  Here one attack is obvious: third parties may
> more easily make substitutions of code.

No, they may not. This crack does _not_ allow a third party to do 
anything interesting.

>>> Another example, Enigma was being sold after WW 2, but the Allies knew
>>> it could be broken. The purchasers did not. Same as when US army sold
>>> some radio communications that used frequency hopping to Iraq during
>>> 1980's. US knew that it could be broken ("just in case...").
>>
>>
>> And MD5 helps with this how?
>>
>> Cheers,
>>
>> Ben.
> 
> 
> The MD5 crack helps here in several ways.  Perhaps the most important is
> that if MD5 is thought to be uncracked, that simple MD5 checking might be
> considered so safe that no second check is used, at points where a second
> and third check would help, thus opening up a possible avenue of attack.

You are simply restating the supposed attack here, without providing any 
evidence it is useful.

> Indeed, even before MD5 was widely known to be cracked, competent security
> folk often recommended that several hashes be used since in most
> applications the cost of computing hashes is small.

This is true, but not germane.

> One point to remember
> is that the published cracks are likely only a small part of the cracks
> known to well funded professionals.  The parallel to the case of the weak
> Enigmas is that many people buying the weak Enigmas thought they were
> uncracked, else they would not have bought them.  Despite the recent
> published MD5 cracks, it is clear that the most interesting cracks of MD5
> are as yet unpublished.

Again, probably true, but definitely not germane. I am saying nothing 
about what future MD5 cracks may enable, I am only commenting on the 
cracks currently known.

To be clear, I am not advocating the use of MD5, nor have I for many 
years. I am simply contesting the theory that the ability to produce 
collisions, as currently known[1], actually provides any useful attack 
vectors.

Cheers,

Ben.

[1] I agree, future possible methods of producing collisions are likely 
to have a real impact on security. This is not what I am discussing.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list