The Pointlessness of the MD5 "attacks"

Ben Laurie ben at algroup.co.uk
Wed Dec 22 12:24:23 EST 2004 

David Wagner wrote:
> Ben Laurie writes:
> 
>>Dan Kaminsky's recent posting seems to have caused some excitement, but 
>>I really can't see why. In particular, the idea of having two different 
>>executables with the same checksum has attracted attention.
>>
>>But the only way I can see to exploit this would be to have code that 
>>did different things based on the contents of some bitmap. My contention 
>>is that if the code is open, then it will be obvious that it does 
>>"something bad" if a bit is tweaked, and so will be suspicious, even if 
>>the "something bad" is not triggered in the version seen.
>>
>>So, to exploit this successfully, you need code that cannot or will not 
>>be inspected. My contention is that any such code is untrusted anyway, 
>>so being able to change its behaviour on the basis of embedded bitmap 
>>changes is a parlour trick. You may as well have it ping a website to 
>>find out whether to misbehave.
> 
> 
> I guess I disagree.  Imagine that the code has some block cipher with
> some S-boxes hardcoded into it.  The code uses this block cipher to
> decrypt an associated ciphertext and outputs (or takes some action based
> on) the resulting message.  This is an example of code that could be
> used to fool a MD5 checksum.  Moreover, I don't have a great deal of
> confidence that even a careful code inspection would cause the code to
> be considered suspicious.  Consequently, I don't have great confidence
> that such an attack would be detected.

Assuming you could find a collision s.t. the resulting decryption looked 
safe with one version and unsafe with the other (rather than gibberish), 
which I find an even bigger stretch than the idea that you could find a 
block that looked safe in one version and unsafe in another, I would 
have said that the mere fact of using a pointless decryption to control 
the action of the code would be suspect.

> I know it is tempting to think that, look, Wang et al only found a pair
> of random-looking messages that collide; they didn't claim to find a pair
> of meaningful messages that collide; and maybe we can hope that there is
> no way to come up with a pair of meaningful-looking colliding messages.

That kind of thinking may tempt you, but it doesn't tempt me. I am not 
discussing what it might be possible to do, I am discussing what it is 
possibile to do.

> But I think that kind of hope is unfounded, and acting on hope is
> asking for trouble.  I believe the only safe course now is to assume
> that MD5's collision resistance is totally broken.

I had assumed that years ago.

> If Wang et al can
> find meaningless-looking collisions today, it seems all too likely that
> someone else may be able to find meaningful-looking collisions tomorrow.
> Hoping that the latter will be hard even though the former is known to
> be easy seems too optimistic for my tastes.

Indeed. Not the point I am making. In a nutshell, yes, it is scary that 
Wang found collisions. No, it is not _more_ scary that you can use those 
collisions to fool people who aren't looking anyway.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list