solution, Re: The Pointlessness of the MD5 "attacks"

Ed Gerck egerck at nma.com
Wed Dec 22 14:04:33 EST 2004 

Ben Laurie wrote:
> David Wagner wrote:
>> To give one contrived example, imagine that the Windows 2010 binary
>> comes with an image file that is displayed as part of the splash start
>> screen.  Imagine that the graphic designer is allowed to supply that
>> image, but the graphic designer has no other authorized access to the
>> source or binary of Windows.  Now a disgruntled graphic designer might
>> be able to arrange to find a MD5 collision MD5(img1) = MD5(img2) so that
>> img1 looks like an entirely reasonable Windows splash screen, but img2
>> contains some scrawled epithet ("Tired of Windows crashing all the time?
>> Try Linux!").  Or, even more contrived, imagine that img1.jpg looks
>> like a completely normal JPG file, but img2.jpg exploits some buffer
>> overrun in the startup screen's JPG decoder to overwrite the program's
>> image with some other malicious code.

> They do not relate to the known MD5 collisions - these are general 
> collisions, which we do not know how to create, not the restricted ones 
> we do know how to create.

"we do not know how to create" != "we will not know how to create"

The fear of a possible (likely?) attack as described by Wagner should
be countered by a concrete solution, not by considering it a time bomb
with a hopefully long enough fuse.

I think such a concrete solution exists, still using MD5. Even though
MD5 is not collision-resistant. The solution applies to everything that
Ben says, as well.

If Microsoft chooses a salt value for an MD5-HMAC, which salt value
Microsoft does not disclose to the programmer and the world until the
file is (1) quality-controlled and (2) handled for distribution, the
programmer would NOT be able to find the collision. Security is easily
assured by Microsoft choosing the salt only after (1) QC. Distribution
of any software, or text, can be likewise protected -- just don't let
the attacker control everything.

The problem here is not MD5. The problem is allowing the attacker to
have too much power.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list