I've read the paper. What is stunning, that I've written similar paper named "Practical Attacks on Digital Signatures Using MD5 Message Digest" using very similar techniques only recently. It was submitted to Cryptology ePrint Archive (http://eprint.iacr.org) a week ago, on December 2nd. They will probably publish it in a day or two (I guess), they are processing december papers right now.
The difference is that I've focused mainly on practical attacks in software distribution channel (there is an attack scenario depicted). The attack scenario is based on talks with a couple of developers/packagers on how the software packaging and distribution works. The paper describes an example of pair of executables and data files which have same MD5 sum, but extract different contracts. Then, there is the idea and practical demonstration of a tool that creates custom (self-)extract packages which can contain arbitrary files, again both with identical MD5 sums, each extracting another one. Lastly, there is notion how it could be made even more effective when the algorithm to find MD5 collisions for any initialization vector is published. Most Windows software is distributed as self-extract (self-install) executables. In Linux world, self-extract executables are not so common. Formats tar.gz, tar.bz2, zip and various packages (rpm, deb, etc.) prevail. After submitting the paper we've been inspecting if similar attack could be made on these formats. Well, definitely yes for zip, tar.bz2 and tar.gz. The only problem was to find concurrent collision in MD5 and CRC32, which is not that hard after all (estimated time is approx. 320 hours using a single PC like the one on your table, or less than one day on 16 PCs). For rpm, deb packages, the trick is to put the colliding block somewhere in the header, where it is not checked internally by the package manager for any checksum. The paper, source codes, examples and attacks on zip/gzip/.../rpm/... formats can be found at: http://cryptography.hyperlink.cz/2004/collisions.htm We think that these attacks could be used even today, but they are not so hard to spot when people are aware of them. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
