The Pointlessness of the MD5 "attacks"
Ben Laurie
ben at algroup.co.uk
Thu Dec 16 05:24:55 EST 2004
Jay Sulzberger wrote:
> On Tue, 14 Dec 2004, Ben Laurie wrote:
>> Ondrej Mikle wrote:
[snipped many assertions without supporting evidence that MD5 cracks
improve attacks]
>>>> So, to exploit this successfully, you need code that cannot or will not
>>>> be inspected. My contention is that any such code is untrusted anyway,
>>>> so being able to change its behaviour on the basis of embedded bitmap
>>>> changes is a parlour trick.
>>>
>>> That's true in theory, but it's different in real world. Take
>>> Microsoft software as an example. Many banks use their software (and
>>> sometimes even military). I don't think that all of them reviewed
>>> Microsoft's source code (I guess only a few, if any at all). There was
>>> an incident of a worm attacking ATMs.
>>
>> No, and they are therefore vulnerable to Microsoft. Note that MD5 is
>> not required for Microsoft to attack them.
>
> Again, the MD5 crack helps. Here one attack is obvious: third parties may
> more easily make substitutions of code.
No, they may not. This crack does _not_ allow a third party to do
anything interesting.
>>> Another example, Enigma was being sold after WW 2, but the Allies knew
>>> it could be broken. The purchasers did not. Same as when US army sold
>>> some radio communications that used frequency hopping to Iraq during
>>> 1980's. US knew that it could be broken ("just in case...").
>>
>>
>> And MD5 helps with this how?
>>
>> Cheers,
>>
>> Ben.
>
>
> The MD5 crack helps here in several ways. Perhaps the most important is
> that if MD5 is thought to be uncracked, that simple MD5 checking might be
> considered so safe that no second check is used, at points where a second
> and third check would help, thus opening up a possible avenue of attack.
You are simply restating the supposed attack here, without providing any
evidence it is useful.
> Indeed, even before MD5 was widely known to be cracked, competent security
> folk often recommended that several hashes be used since in most
> applications the cost of computing hashes is small.
This is true, but not germane.
> One point to remember
> is that the published cracks are likely only a small part of the cracks
> known to well funded professionals. The parallel to the case of the weak
> Enigmas is that many people buying the weak Enigmas thought they were
> uncracked, else they would not have bought them. Despite the recent
> published MD5 cracks, it is clear that the most interesting cracks of MD5
> are as yet unpublished.
Again, probably true, but definitely not germane. I am saying nothing
about what future MD5 cracks may enable, I am only commenting on the
cracks currently known.
To be clear, I am not advocating the use of MD5, nor have I for many
years. I am simply contesting the theory that the ability to produce
collisions, as currently known[1], actually provides any useful attack
vectors.
Cheers,
Ben.
[1] I agree, future possible methods of producing collisions are likely
to have a real impact on security. This is not what I am discussing.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list