The Pointlessness of the MD5 "attacks"
Jon Callas
jon at callas.org
Fri Dec 17 01:58:33 EST 2004
> So, are you sure there can never be a program which allows such an
> exploit? I've seen programs that had embedded components (state
> machines in particular) which were not easily human-readable, and had
> themselves been generated by computer. And even large graphics,
> sound, or video sequences can really change the meaning of a program's
> actions in some ways; those might be susceptible to the requirements
> of the attack. I agree it's hard to see how to exploit the existing
> MD5 collision attacks in programs that would look innocent, but I
> don't see what makes it *impossible*.
>
That's not what Ben is saying at all. He's saying that once you give
the adversary the power to do the sorts of things that are required for
this (like being able to replace a give C with C'), there are easier
ways for the attacker to get the desired result than playing with
collisions.
I do, however, feel the need to be a bit pedantic and say that tables
for state machines are seldom random (for some suitable definition of
random). Nor are graphics, sound, nor video. Inserting the artifacts
into them you need to make this work is really, really obvious for the
same reasons that Shamir and Van Someren showed that finding key
material is so easy.
I have an attack that I just came up with that pretty much proves Ben's
point. I can, using this technique, make any MD5 preimage give you any
desired hash value. It's trivial, once I can replace code C with C'.
Give up? Answer below.
Hint: it works just as well against SHA1. Or SHA-256. Or Whirlpool. Or
pick your hash.
Answer:
patch the md5 software. put in a table that gets searched -- when you
see hash x, return y. if you want to be clever, obfuscate the check and
the result. toss in some xoring so you don't have the direct target and
result hashes there, so simple grepping doesn't give the trick away.
But once you can replace C with C', why bother doing bit-flipping when
you can just compile the code you want, and replace the code that rats
you out?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list