Adam Back wrote:
Is this the case? Can't we instead start with code C and malicious C'
and try to find a collision on H(C||B) == H(C'||B') after trying 2^64
B values we'll find such a collision by the birthday principle.
Indeed, but that is not the attack suggested.
Now we can have people review and attest to the correctness of code C,
and then we can MITM and change surrepticiously with C'.
And with only 2^64 effort. Let me know when you're done.
Adam
On Wed, Dec 15, 2004 at 08:44:03AM +0000, Ben Laurie wrote:
Adam Back wrote:
Well the people doing the checking (a subset of the power users) may
say "I checked the source and it has this checksum", and another user
may download that checksum and be subject to MITM and not know it.
You are missing the point - since the only way to make this trick work
is to include a very specific chunk of 64 bytes with a few bits flipped
(or not), the actual malicious code must be present anyway and triggered
by the flipped bits. So, all of these attacks rely on the code not being
inspected or being sufficiently cunning that inspection didn't help.
And, if that's the case, the attacks work without any MD5 trickery.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
