PlayStation 3 predicts next US president

James A. Donald jamesd at echeque.com
Sat Dec 1 20:25:50 EST 2007 

William Allen Simpson wrote:
 > Weger, B.M.M. de wrote:
 >> See http://www.win.tue.nl/hashclash/Nostradamus if
 >> you want to know the details of what this has to do
 >> with cryptography.
 >>
 > It always bothers me as these things are announced,
 > but are based on presumptions that have absolutely no
 > relevance in the real world....
 >
 > Therefore, nothing to do with cryptography (which is
 > not a parlor trick).
 >
 >> This implies a vulnerability in software integrity
 >> protection and code signing schemes that still use
 >> MD5. See
 >> http://www.win.tue.nl/hashclash/SoftIntCodeSign for
 >> details.
 >>
 > There is no such MD5 vulnerability implied.  As the
 > paper itself states:
 >
 >   In cryptographic terms: our attack is an attack on
 >   collision resistance, not on preimage or second
 >   preimage resistance. This implies that both
 >   colliding files have to be specially prepared by the
 >   attacker, before they are published on a download
 >   site or presented for signing by a code signing
 >   scheme. Existing files with a known hash that have
 >   not been prepared in this way are not vulnerable.
 >
 > Since this "attack" requires the certifier be
 > compromised, the attacker could also modify the
 > program data itself undetectably.  That is, this
 > theoretical problem actually is more effort than the
 > obvious attack!

This attack does not require the certifier to be
compromised.

  The attack was to generate a multitude of predictions
for the US election, each of which has the same MD5
hash.  If the certifier certifies any one of these
predictions, the recipient can use the certificate for
any one of these predictions.

 > In summary, there are exactly zero instances where
 > this use of MD5 would actually present a
 > vulnerability.

This attack renders MD5 entirely worthless for any use
other than as an error check like CRC - and CRC does it
better and faster.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list