Collisions for hash functions: how to exlain them to your boss

Weger, B.M.M. de b.m.m.d.weger at TUE.nl
Mon Jun 13 15:53:04 EDT 2005 

Hi Eric,

Technically speaking you're correct, they're signing a program.
But most people, certainly non-techies like Alice's boss,
view postscript (or MS Word, or <name your favourite document 
format that allows macros>) files not as programs but as static 
data. In being targeted at non-techies I find this attack more 
convincing than those of Mikle and Kaminsky, though essentially
it's a very similar idea.

Note that opening the postscript files in an ASCII-editor
(or HEX-editor) immediately reveals the attack. Stefan Lucks
told me they might be able to obfuscate the postscript code, 
but again this will only fool the superficial auditor.

Grtz,
Benne

========================================= 
Technische Universiteit Eindhoven 
Coding & Crypto Groep 
Faculteit Wiskunde en Informatica 
Den Dolech 2 
Postbus 513 
5600 MB Eindhoven 
kamer HG 9.84 
tel. (040) 247 2704, bgg 5141 
e-mail: b.m.m.d.weger at tue.nl 
www: http://www.win.tue.nl/~bdeweger 
========================================= 
 

> -----Original Message-----
> From: owner-cryptography at metzdowd.com 
> [mailto:owner-cryptography at metzdowd.com] On Behalf Of Eric Rescorla
> Sent: maandag 13 juni 2005 17:05
> To: Stefan Lucks
> Cc: cryptography at metzdowd.com
> Subject: Re: Collisions for hash functions: how to exlain 
> them to your boss
> 
> Stefan Lucks <lucks at th.informatik.uni-mannheim.de> writes:
> > Magnus Daum and myself have generated MD5-collisons for 
> PostScript files:
> >
> >   http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/
> >
> > This work is somewhat similar to the work from Mikle and 
> Kaminsky, except 
> > that our colliding files are not executables, but real documents. 
> >
> > We hope to demonstrate how serious hash function collisions 
> should be 
> > taken -- even for people without much technical background. 
> And to help 
> > you, to explain these issues 
> >
> >   - to your boss or your management,
> >   - to your customers,
> >   - to your children ...
> 
> While this is a clever idea, I'm not sure that it means what you imply
> it means. The primary thing that makes your attack work is that the
> victim is signing a program which he is only able to observe mediated
> through his viewer. But once you're willing to do that, you've got a
> problem even in the absence of collisions, because it's easy to write
> a program which shows different users different content even if you
> without hash collisions. You just need to be able to write
> conditionals.
> 
> For more, including an example, see:
> http://www.educatedguesswork.org/movabletype/archives/2005/06/
> md5_collisions.html
> 
> -Ekr
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to 
> majordomo at metzdowd.com
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list