The Pointlessness of the MD5 "attacks"
Ben Laurie
ben at algroup.co.uk
Wed Dec 22 12:24:23 EST 2004
David Wagner wrote:
> Ben Laurie writes:
>
>>Dan Kaminsky's recent posting seems to have caused some excitement, but
>>I really can't see why. In particular, the idea of having two different
>>executables with the same checksum has attracted attention.
>>
>>But the only way I can see to exploit this would be to have code that
>>did different things based on the contents of some bitmap. My contention
>>is that if the code is open, then it will be obvious that it does
>>"something bad" if a bit is tweaked, and so will be suspicious, even if
>>the "something bad" is not triggered in the version seen.
>>
>>So, to exploit this successfully, you need code that cannot or will not
>>be inspected. My contention is that any such code is untrusted anyway,
>>so being able to change its behaviour on the basis of embedded bitmap
>>changes is a parlour trick. You may as well have it ping a website to
>>find out whether to misbehave.
>
>
> I guess I disagree. Imagine that the code has some block cipher with
> some S-boxes hardcoded into it. The code uses this block cipher to
> decrypt an associated ciphertext and outputs (or takes some action based
> on) the resulting message. This is an example of code that could be
> used to fool a MD5 checksum. Moreover, I don't have a great deal of
> confidence that even a careful code inspection would cause the code to
> be considered suspicious. Consequently, I don't have great confidence
> that such an attack would be detected.
Assuming you could find a collision s.t. the resulting decryption looked
safe with one version and unsafe with the other (rather than gibberish),
which I find an even bigger stretch than the idea that you could find a
block that looked safe in one version and unsafe in another, I would
have said that the mere fact of using a pointless decryption to control
the action of the code would be suspect.
> I know it is tempting to think that, look, Wang et al only found a pair
> of random-looking messages that collide; they didn't claim to find a pair
> of meaningful messages that collide; and maybe we can hope that there is
> no way to come up with a pair of meaningful-looking colliding messages.
That kind of thinking may tempt you, but it doesn't tempt me. I am not
discussing what it might be possible to do, I am discussing what it is
possibile to do.
> But I think that kind of hope is unfounded, and acting on hope is
> asking for trouble. I believe the only safe course now is to assume
> that MD5's collision resistance is totally broken.
I had assumed that years ago.
> If Wang et al can
> find meaningless-looking collisions today, it seems all too likely that
> someone else may be able to find meaningful-looking collisions tomorrow.
> Hoping that the latter will be hard even though the former is known to
> be easy seems too optimistic for my tastes.
Indeed. Not the point I am making. In a nutshell, yes, it is scary that
Wang found collisions. No, it is not _more_ scary that you can use those
collisions to fool people who aren't looking anyway.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list