On Wed, 15 Dec 2004 08:51:29 +0000, Ben Laurie <[EMAIL PROTECTED]> wrote: > People seem to be having a hard time grasping what I'm trying to say, so > perhaps I should phrase it as a challenge: find me a scenario where you > can use an MD5 collision to mount an attack in which I could not mount > an equally effective attack without using an MD5 collision.
Here's an example, although I think it's a stupid one, and agree with you that the MD5 attack, as it's currently known to work, isn't a material problem (although it's a clear signal that one shouldn't use MD5): I send you a binary (say, a library for doing AES encryption) which you test exhaustively using black-box testing. The library is known not to link against any external APIs (in fact, perhaps it's implemented in a language and runtime with a decent security sandbox model, e.g., Java). You then incorporate it into your application and sign the whole thing with MD5+RSA to vouch for its accuracy. I incorporate several copies of a suitable MD5 collision block in my library, so one of them will be at the correct 64-byte block boundary. I can then modify bits inside of my library, which car checked by the library code and cause it to change the functionality of the library, yet the signature will still verify. This would be pretty easy to do as a proof-of-concept, but I don't have the time. - Tim --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]