On Wed, 22 Dec 2004, Ben Laurie wrote:
Blimey. Finally. An attack I can actually believe in. Excellent.
D131DD02C5E6EEC4693D9A0698AFF95C2FCAB58712467EAB4004583EB8FB7F8955AD340609F4B30283E488832571415A085125E8F7CDC99FD91DBDF280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E2B487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080A80D1EC69821BCB6A8839396F9652B6FF72A700000000000000000000000000000001B is prime
D131DD02C5E6EEC4693D9A0698AFF95C2FCAB50712467EAB4004583EB8FB7F8955AD340609F4B30283E4888325F1415A085125E8F7CDC99FD91DBD7280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E23487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080280D1EC69821BCB6A8839396F965AB6FF72A700000000000000000000000000000001B is not prime
both have MD5 b4b12dc7ec1b9422f6596d2a863d7900.
It's worth noting that the *currently known* MD5 collisions are very limited in number and form. Anyone who did not screen their binaries for these would be a fool.
It was my understanding that they are very easy to generate. Are you scanning your binaries? Do you have a complete list?
When more details emerge about the collision-generation technique, we'll be able to see if the MD5 collisions remain "weak keys" which we can efficiently check a binary for, or become general enough that it's impossible to rule out a collision in our binary material.
But since Ben began this discussion by concentrating only on *currently-known* weaknesses in MD5, I would have to argue that this particular weakness, although possible to "actually believe in", is pretty trivial to avoid. In fact, I'd argue strongly that any "security review" that neglected to notice a known MD5 collision in the key primes (in addition to checking that they are really prime, etc) would be incompetent.
Given that we know (for some value of "know") that these collisions can be generated with trivial amounts of work, but do not know how to detect them (yet), I wouldn't agree with this.
What would be incompetent would be to rely on an MD5 hash.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
