Is this the case? Can't we instead start with code C and malicious C' and try to find a collision on H(C||B) == H(C'||B') after trying 2^64 B values we'll find such a collision by the birthday principle.
Now we can have people review and attest to the correctness of code C, and then we can MITM and change surrepticiously with C'. Adam On Wed, Dec 15, 2004 at 08:44:03AM +0000, Ben Laurie wrote: > Adam Back wrote: > >Well the people doing the checking (a subset of the power users) may > >say "I checked the source and it has this checksum", and another user > >may download that checksum and be subject to MITM and not know it. > > You are missing the point - since the only way to make this trick work > is to include a very specific chunk of 64 bytes with a few bits flipped > (or not), the actual malicious code must be present anyway and triggered > by the flipped bits. So, all of these attacks rely on the code not being > inspected or being sufficiently cunning that inspection didn't help. > And, if that's the case, the attacks work without any MD5 trickery. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
