The Pointlessness of the MD5 "attacks"
Zooko O'Whielacronx
zooko at zooko.com
Thu Dec 30 15:46:18 EST 2004
Something that is interesting about this issue is that it involves
transitive vulnerability.
If there are only two actors there is no issue. If Alice is the user
and Bob is the software maintainer and Bob is bad, then Alice will be
exploited regardless of the hash function. If Alice is the user and
Bob the maintainer and Bob is good then Alice will be safe, regardless.
However if there is a third actor, Charles, from whom Bob accepts
information that he will use in a limited way (for example an image or
sound file, a patch to the source code which contains extensive
comments and whitespace), then whether the hash function is
collision-resistant becomes an issue. If Alice and Bob use a
collision-resistant hash function, they can rest assured that any
software package matching the hash is the package that Bob intended for
Alice to use. If they use a hash function which is not
collision-resistant they can't, even if the function is second
pre-image resistant.
This is interesting to me because the problem doesn't arise with only
Alice and Bob nor with only Bob and Charles. It is a problem specific
to the transitive nature of the relationship: Alice is vulnerable to
Charles's choice of package because she trusts Bob to choose packages
and Bob trusts Charles to provide image files. And because they are
using a non-collision-resistant hash function.
Regards,
Zooko
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list