Ben Laurie wrote:
David Wagner wrote:To give one contrived example, imagine that the Windows 2010 binary comes with an image file that is displayed as part of the splash start screen. Imagine that the graphic designer is allowed to supply that image, but the graphic designer has no other authorized access to the source or binary of Windows. Now a disgruntled graphic designer might be able to arrange to find a MD5 collision MD5(img1) = MD5(img2) so that img1 looks like an entirely reasonable Windows splash screen, but img2 contains some scrawled epithet ("Tired of Windows crashing all the time? Try Linux!"). Or, even more contrived, imagine that img1.jpg looks like a completely normal JPG file, but img2.jpg exploits some buffer overrun in the startup screen's JPG decoder to overwrite the program's image with some other malicious code.
They do not relate to the known MD5 collisions - these are general collisions, which we do not know how to create, not the restricted ones we do know how to create.
"we do not know how to create" != "we will not know how to create"
The fear of a possible (likely?) attack as described by Wagner should be countered by a concrete solution, not by considering it a time bomb with a hopefully long enough fuse.
I think such a concrete solution exists, still using MD5. Even though MD5 is not collision-resistant. The solution applies to everything that Ben says, as well.
If Microsoft chooses a salt value for an MD5-HMAC, which salt value Microsoft does not disclose to the programmer and the world until the file is (1) quality-controlled and (2) handled for distribution, the programmer would NOT be able to find the collision. Security is easily assured by Microsoft choosing the salt only after (1) QC. Distribution of any software, or text, can be likewise protected -- just don't let the attacker control everything.
The problem here is not MD5. The problem is allowing the attacker to have too much power.
Cheers, Ed Gerck
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
