[Cryptography] Oracle discovers the 1990s in crypto
John Levine
johnl at iecc.com
Sun Jan 22 18:13:26 EST 2017
In article <CAAt2M182QfUUm2uMT+p+doZk0s01mwJsE3Ceb0yWxzcHbVJS6A at mail.gmail.com> you write:
>Den 22 jan 2017 23:27 skrev "John Levine" <johnl at iecc.com>:
>
>But I'm wondering how real the MD5 threat is in practice. Java JAR files
>are ZIP files containing a manifest that lists the other files and can
>contain signed hashes of the other files. So I can see how I could generate
>a collision and replace one of the other files with garbage, which might
>crash a poorly debugged Java implmentation. But how likely is it that I
>could replace one of the other files with a different Java program?
>
>http://www.mscs.dal.ca/~selinger/md5collision/
>
>From 2006, and since then there's even been multicollision multifiletype
>hash collision generators with GPU acceleration and more.
>
>You can trivially generate valid files with colliding hashes.
So I see, but those are all variations on chosen plaintext attacks.
This tells me that there's a viable attack where I write both the good
and the bad programs with the same MD5 hash, get an authority to sign
the good program, and substitute the bad program, the "Alice - Caesar"
attack. It doesn't look like I can take an arbitrary signed program
not designed to make collisions easier and substitute a different
program.
Alice - Caesar is bad enough, but it's useful to understand the scope
of the threat.
R's,
John
PS: This does not mean I plan to sign any MD5 hashes any time soon.
More information about the cryptography
mailing list