On Tue, 14 Dec 2004, Ben Laurie wrote:Ondrej Mikle wrote:
[snipped many assertions without supporting evidence that MD5 cracks improve attacks]
So, to exploit this successfully, you need code that cannot or will not be inspected. My contention is that any such code is untrusted anyway, so being able to change its behaviour on the basis of embedded bitmap changes is a parlour trick.
That's true in theory, but it's different in real world. Take Microsoft software as an example. Many banks use their software (and sometimes even military). I don't think that all of them reviewed Microsoft's source code (I guess only a few, if any at all). There was an incident of a worm attacking ATMs.
No, and they are therefore vulnerable to Microsoft. Note that MD5 is not required for Microsoft to attack them.
Again, the MD5 crack helps. Here one attack is obvious: third parties may more easily make substitutions of code.
No, they may not. This crack does _not_ allow a third party to do anything interesting.
Another example, Enigma was being sold after WW 2, but the Allies knew it could be broken. The purchasers did not. Same as when US army sold some radio communications that used frequency hopping to Iraq during 1980's. US knew that it could be broken ("just in case...").
And MD5 helps with this how?
Cheers,
Ben.
The MD5 crack helps here in several ways. Perhaps the most important is that if MD5 is thought to be uncracked, that simple MD5 checking might be considered so safe that no second check is used, at points where a second and third check would help, thus opening up a possible avenue of attack.
You are simply restating the supposed attack here, without providing any evidence it is useful.
Indeed, even before MD5 was widely known to be cracked, competent security folk often recommended that several hashes be used since in most applications the cost of computing hashes is small.
This is true, but not germane.
One point to remember is that the published cracks are likely only a small part of the cracks known to well funded professionals. The parallel to the case of the weak Enigmas is that many people buying the weak Enigmas thought they were uncracked, else they would not have bought them. Despite the recent published MD5 cracks, it is clear that the most interesting cracks of MD5 are as yet unpublished.
Again, probably true, but definitely not germane. I am saying nothing about what future MD5 cracks may enable, I am only commenting on the cracks currently known.
To be clear, I am not advocating the use of MD5, nor have I for many years. I am simply contesting the theory that the ability to produce collisions, as currently known[1], actually provides any useful attack vectors.
Cheers,
Ben.
[1] I agree, future possible methods of producing collisions are likely to have a real impact on security. This is not what I am discussing.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
