The Pointlessness of the MD5 "attacks"
Ben Laurie
ben at algroup.co.uk
Wed Dec 22 12:18:05 EST 2004
David Wagner wrote:
> Ben Laurie writes:
>
>>Indeed, but what's the point? If you control the binary, just distribute
>>the malicious version in the first place.
>
>
> Where this argument breaks down is that someone might have partial
> but not total control over the binary. This partial control might
> not be enough for them to distribute a malicious version straightforwardly,
> but just enough to exploit a MD5 collision. It is hard to be confident
> that such an attack scenario is impossible.
>
> To give one contrived example, imagine that the Windows 2010 binary
> comes with an image file that is displayed as part of the splash start
> screen. Imagine that the graphic designer is allowed to supply that
> image, but the graphic designer has no other authorized access to the
> source or binary of Windows. Now a disgruntled graphic designer might
> be able to arrange to find a MD5 collision MD5(img1) = MD5(img2) so that
> img1 looks like an entirely reasonable Windows splash screen, but img2
> contains some scrawled epithet ("Tired of Windows crashing all the time?
> Try Linux!"). Or, even more contrived, imagine that img1.jpg looks
> like a completely normal JPG file, but img2.jpg exploits some buffer
> overrun in the startup screen's JPG decoder to overwrite the program's
> image with some other malicious code.
>
> Sure, these scenarios are contrived and unlikely. But how do you
> know that there is not some other (possibly more complex but less
> contrived) scenario that you would consider more troubling?
They do not relate to the known MD5 collisions - these are general
collisions, which we do not know how to create, not the restricted ones
we do know how to create.
>>People seem to be having a hard time grasping what I'm trying to say, so
>>perhaps I should phrase it as a challenge: find me a scenario where you
>>can use an MD5 collision to mount an attack in which I could not mount
>>an equally effective attack without using an MD5 collision.
>
> I've got a better challenge: show me a convincing argument that no such
> scenario exists.
I claim I already have.
> What I'm trying to get at is that you've got the burden of proof
> backwards. Implicit in your challenge is the idea that we should
> keep trusting MD5 until someone finds a convincing argument that it is
> insecure in practice. My argument is that this is much too trusting.
> I believe that, given the theoretical results on MD5, we should not have
> any trust whatsoever in the security of MD5 as a collision-resistant
> hash until someone is able to offer a convincing argument that MD5 is
> secure enough in practice despite its known weaknesses.
Absolutely not, I would not argue for a second that we should continue
to trust MD5, I am merely making a very narrow argument about the nature
and utility of the newly found collisions.
> I could try to answer your challenge. I might even be able to devise
> some solution to your challenge that would satisfy you. For instance,
> maybe the image file attack above qualifies as a solution.
It would if it were possible, but it isn't.
> Or maybe
> the S-box table attack in my previous email is good enough. But I don't
> really want to argue about whether I have found a valid answer to your
> challenge. I shouldn't be required to meet that burden -- the burden
> of proof should be on whoever wants to believe that MD5 is secure.
>
> Why should the burden be on MD5 defenders? Not just because I said so.
> Part of the reason is that there are just too many complex scenarios
> to consider. Suppose I conceded that I couldn't find a scenario you'd
> accept. What would that prove? Very little. Even if I can't think of
> a suitable scenario for you off the top of my head, that doesn't mean
> that with more thought I wouldn't find one. Even if I spent a month
> trying and still couldn't find one, that doesn't mean that others can't.
I have made, I think, quite clear arguments why this attack is pointless.
> My experience is that if it is possible to find a theoretical attack with
> one day's work, it is often possible to extend this to a more practical
> attack with, say, one week's work. Bruce Schneier puts this concisely:
> "Attacks always get better." Trusting in MD5's collision-resistance
> amounts to assuming that "cryptanalysts of MD5 will get this far, but
> no farther", and that seems like a pretty questionable assumption to me.
I am not suggesting we trust MD5. My point is that this attack does not
cause me to trust it any less than I already did, and nor does it offer
any more useful exploit of MD5 than we already had.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list