Collisions for hash functions: how to exlain them to your boss

John Kelsey kelsey.j at ix.netcom.com
Wed Jun 15 10:04:24 EDT 2005 

>From: Eric Rescorla <ekr at rtfm.com> Sent: Jun 14, 2005 9:36 AM
>Subject: Re: Collisions for hash functions: how to exlain them to
>your boss

[Discussing the MD5 attacks and their practicality, especially the
recent postscript demonstration.]

...

>But everything you've just said applies equally to my
>JavaScript example. It's not a security vulnerability in
>the browser or the data format that it displays differently
>depending on the context.  It's an intentional feature!

I think our disagreement here has to do with what we're
seeing from the attack.  You're seeing a specific attack
vector--use conditional execution/display + the ability to
find specific collisions of a particular form to yield these
nice attacks where we have two messages that amount to

X ||M0||M1
X*||M0||M1

where when the first part of the message is X, some kind of
conditional execution displays M0, while X* leads to the
display of M1.  And I think you're right to say that in many
cases, once you're viewing the result of blindly executing
programs that I send you, you're vulnerable to other attacks
that are about as damaging.  Now, it's certainly possible
imagine cases where this kind of conditional execution
wouldn't be allowed to access anything outside the file, but
once you've decided to put in a full featured scripting
language, it's not that much of a stretch to think you'll
let me read the system time.

I'm seeing a more general pattern of attacks, in which X and
X* amount to context for the display of whatever follows
them.  That seems to me to encompass a lot more than macros
and script files with conditional execution.  And even when
I don't have a specific attack in mind, it worries me that
if I'm trying to help someone safely use MD5, I've got to
think through whether there is any way at all to make this
kind of attack pattern work.  It's a heck of a lot easier to
say "don't use MD5."

...
>-Ekr

--John Kelsey

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list