On Thu, Aug 26, 2004 at 11:09:49AM -0400, Trei, Peter wrote: > Looking over the recent work on hash collisions, one > thing that struck me was that they all seem to be > attacks on known plaintext - the 'plaintexts' which > collided were very close to each other, varying in > only a few bits.
Yep, so far.. but lets assume for the moment that's as far as they will go, however nervous it makes us about future extension of the break. > It allows you (if you're fortunate) to modify a signed > message and have the signature still check out. > However, if you don't know the original plaintext > it does not seem to allow you construct a second > message with the same hash. True. Even if you know the plaintext, many of the messages you might want to tamper with have some sort of internal consistency constraints (structured file formats, executable code for a particular architecture, etc) that limit the possibilities of a useful attack. There is one application of hashes, however, that fits these limitations very closely and has me particularly worried: certificates. The public key data is public, and it's a "random" bitpattern where nobody would ever notice a few different bits. If someone finds a collision for microsoft's windows update cert (or a number of other possibilities), and the fan is well and truly buried in it. -- Dan.
pgpTDbJNNM1Wb.pgp
Description: PGP signature
