Re: PlayStation 3 predicts next US president
William Allen Simpson wrote: [snip] There are no circumstances in which any reputable certifier will ever __^ certify any of the "multitude" containing a hidden pdf image, especially where generated by another party. Given what we know about the limitations of people, their response to ethics, and the endemic nature of ego and bribery around the world (See list of a few samples below) I would very much doubt that this method won't be used one day. When? Who knows. But as someone who rarely bets, this is one I'd bet on. How about the Teapot Dome Scandal, Enron, WorldCom, Michael Milken and all the others we find in our daily papers? Or to move into an area where no money changed hands, look at: http://innocenceproject.org/ and look at the corruption of public officials which put people to death based on lies. Read up on why the Governor of Illinois pardoned everyone on Death Row a few years back. See: http://www.msnbc.msn.com/id/19031423/ http://www.signonsandiego.com/news/politics/cunningham/ http://valleypolitics.blogspot.com/2007/03/conspiracy-extortion-bribery-oh-my.html http://www.thebostonchannel.com/politics/13438616/detail.html http://news.bbc.co.uk/1/hi/uk_politics/1259957.stm http://www.usdoj.gov/ criminal/ npftf/ pr/ press_releases/ 2007/ may/ 05-11-07lucas.pdf http://www.usatoday.com/money/companies/2005-11-08-titan-usat_x.htm http://www.msnbc.msn.com/id/3340697 http://www.corpwatch.org/article.php?id=8649 http://www.pbs.org/now/shows/347/ Then, of course, there is the Transparency International Corruption Perceptions Index: http://www.infoplease.com/ipa/A0781359.html Then, too, there is the Internet Center for Corruption Research: http://www.icgg.org/ Ego/bribery/corruption is so common, and it effects most commonly found after the fact, that to expect that a now "reputable certifier," won't become corrupted in some manner, like the notaries in Southern California in the elder fraud scandal, is placing trust in a system without verification. It takes periodic external audit to ensure the continued honesty of all certifiers. This is what SOX in the US is attempting, but like most things, never perfect the first time. (BTW, I don't recall when or where, but recently there was a comment on a list dealing in and around cryptography that went approximately, "Who would of thought that this list would be about philosophy?" (Not a quote, just an aging memory if I got the essence wrong.) Best, Allen - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
James A. Donald wrote: >> A notary is a certifier. Have you ever seen a notary >> read the stuff he notarizes, let alone generate it? William Allen Simpson wrote: > Actually, I deal with notaries regularly. I've always > had to physically sign while watched by the notary. > They always read the stuff notarized, and my > supporting identification, because they are notarizing > a signature (not a document). Not true. Because they are notarizing a signature, not a document, they check my supporting identification, but never read the document being signed. > And yes, they always generate the stamp or imprint > they sign. To do otherwise would be irresponsible (and > illegal). If they were to generate an MD5 hash of documents prepared by someone else, then the attack described (eight different human readable documents with the same MD5 hash) works. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
GOST's resistance to this attack
GOST resists the attacks that have recently been discovered against commonly used hashes because it has 512 bits of internal state. It combines a simple 256 bit checksum with a simple 256 bit digest. I cannot see any use for the checksum other than to resist this type of attack against the digest, which suggests that the Russians may have been aware of this kind of attack in 1990. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: PlayStation 3 predicts next US president
Hi William, > > ... We say so on > > the website. We did show this hiding of collisions for other data > > formats, such as X.509 certificates > > More interesting. Where on your web site? I've long abhorred the > X.509 format, and was a supporter of a more clean alternative. See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/ > > Our real work is chosen-prefix collisions combined with > > multi-collisions. This is crypto, it has not been done before, > > Certainly it was done before! I was referring to MD5. Apart from that, I'd be interested in seeing references to older work on chosen-prefix multicollisions. > What *would* be crypto is the quantification of where MDx > currently falls on the computational spectrum. Our first chosen-prefix collision attack has complexity of about 2^50, as described in our EuroCrypt 2007 paper. This has been considerably improved since then. In the full paper that is in preparation we'll give details of those improvements. Grtz, Benne - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
Weger, B.M.M. de wrote: The parlor trick demonstrates a weakness of the pdf format, not MD5. I disagree. We could just as easy have put the collision blocks in visible images. Parlor trick. ... We could just as easy have used MS Word documents, or any document format in which there is some way of putting a few random blocks somewhere nicely. Parlor trick. ... We say so on the website. We did show this hiding of collisions for other data formats, such as X.509 certificates More interesting. Where on your web site? I've long abhorred the X.509 format, and was a supporter of a more clean alternative. ... and for Win32 executables. Parlor trick. So far, all the things you mention require the certifier to be suborned. Our real work is chosen-prefix collisions combined with multi-collisions. This is crypto, it has not been done before, Certainly it was done before! We talked about it more than a decade ago. We knew that what was "computationally infeasible" would become feasible. Every protocol I've designed or formally reviewed is protected against the chosen prefix attack. (To qualify, where I had final say. I've reviewed badly designed protocols, such as IKE/ISAKMP. And I've been overruled by committee from time to time) What *would* be crypto is the quantification of where MDx currently falls on the computational spectrum. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
James A. Donald wrote: A notary is a certifier. Have you ever seen a notary read the stuff he notarizes, let alone generate it? Actually, I deal with notaries regularly. I've always had to physically sign while watched by the notary. They always read the stuff notarized, and my supporting identification, because they are notarizing a signature (not a document). And yes, they always generate the stamp or imprint they sign. To do otherwise would be irresponsible (and illegal). Suppose you sign a contract - by signing the MD5 hash of the contract. Unfortunately the guy who prepared the contract prepared two slightly different contracts, one of which is more favorable to him and less favorable to you than the one you actually signed. Both contracts have the same MD5 hash. I've digitally signed contracts, that I prepared and verified, on plaintext documents using PGP. So far, I've seen no such exploit described nor quantified. There's this silly idea that's been floating around that a digital signature is somehow equivalent to a human signature. Or worse, somehow better?!?! Heck, current U.S. law counts a digitized sound as a signature!?!? (Folks have lost money on this snake oil. They deserved it.) Anyway, this is irrelevant to the original topic. That is: This implies a vulnerability in software integrity protection and code signing schemes that still use MD5. Please quantify your spurious allegations (and stay on topic). - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: PlayStation 3 predicts next US president
Hi William, > > The attack was to generate a multitude of predictions for the US > > election, each of which has the same MD5 hash. If the certifier > > certifies any one of these predictions, the recipient can use the > > certificate for any one of these predictions. > > > That's a mighty big "if" -- as in infinite improbability. > Therefore, a parlor trick, not cryptography. That's an "if" indeed, we say so on the website. How big it is, you all form your own opinion. > There are no circumstances in which any reputable certifier > will ever certify any of the "multitude" containing a hidden > pdf image, especially where generated by another party. This I read as a definition of 'reputable'. > While there are plenty of chosen text attacks in > cryptography, this one is highly impractical. The image is > hidden. It will not appear, and thus would not be > accidentally copied by somebody (cut-and-paste). > > The parlor trick demonstrates a weakness of the pdf format, not MD5. I disagree. We could just as easy have put the collision blocks in visible images. We could just as easy have used MS Word documents, or any document format in which there is some way of putting a few random blocks somewhere nicely. We say so on the website. We did show this hiding of collisions for other data formats, such as X.509 certificates and for Win32 executables. Our real work is chosen-prefix collisions combined with multi-collisions. This is crypto, it has not been done before, this is as far as we can get in MD5 cryptanalysis, and we think it's relevant. To sell it to the world we wrapped it up nicely. You just throw away the wrapper. Grtz, Benne de Weger - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
William Allen Simpson wrote: > Apparently, you never read the original rationale for > MD5. It still does what it was intended to do MD5 was intended to identify the thing being hashed uniquely. If it is possible to produce multiple plausible human readable texts that say different things yet give the same MD5 hash, it does not do what it was intended to do. James A. Donald: >> If it is a certifier, these are not "its" documents. William Allen Simpson: > If it is a certifier, it damn well better be its own > documents! A notary is a certifier. Have you ever seen a notary read the stuff he notarizes, let alone generate it? > Look at the original message: > > This implies a vulnerability in software integrity > protection and code signing schemes that still use > MD5. Suppose you sign a contract - by signing the MD5 hash of the contract. Unfortunately the guy who prepared the contract prepared two slightly different contracts, one of which is more favorable to him and less favorable to you than the one you actually signed. Both contracts have the same MD5 hash. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
James A. Donald wrote: So the certifier is going to go through each thing he certifies, to make sure there is nothing funny about it? Yes. The whole point of MD5 is to automate that stuff. If an actual human has to go through it, and understand what it means, and certify the *meaning* then there is no reason to take an MD5 hash. Apparently, you never read the original rationale for MD5. It still does what it was intended to do If it is a certifier, these are not "its" documents. If it is a certifier, it damn well better be its own documents! Look at the original message: This implies a vulnerability in software integrity protection and code signing schemes that still use MD5. Anybody that's "certifying" software and code that they didn't personally generate and vet is selling snake oil. Trust is *not* transitive! Neither is reputation. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
> There are no circumstances in which any reputable > certifier will ever certify any of the "multitude" > containing a hidden pdf image, especially where > generated by another party. So the certifier is going to go through each thing he certifies, to make sure there is nothing funny about it? The whole point of MD5 is to automate that stuff. If an actual human has to go through it, and understand what it means, and certify the *meaning* then there is no reason to take an MD5 hash. > The attack requires the certifier to be compromised, > either to certify documents that the certifier did not > generate That is what certifiers do. It is what they are supposed to do. You seem to have confused certification with signing. > or to include the chosen text (hidden image) in its > documents in exactly the correct location. If it is a certifier, these are not "its" documents. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
James A. Donald wrote: This attack does not require the certifier to be compromised. You are referring to a different page (that I did not reference). Never-the-less, both attacks require the certifier to be compromised! The attack was to generate a multitude of predictions for the US election, each of which has the same MD5 hash. If the certifier certifies any one of these predictions, the recipient can use the certificate for any one of these predictions. That's a mighty big "if" -- as in infinite improbability. Therefore, a parlor trick, not cryptography. There are no circumstances in which any reputable certifier will ever certify any of the "multitude" containing a hidden pdf image, especially where generated by another party. The attack requires the certifier to be compromised, either to certify documents that the certifier did not generate, or to include the chosen text (hidden image) in its documents in exactly the correct location. While there are plenty of chosen text attacks in cryptography, this one is highly impractical. The image is hidden. It will not appear, and thus would not be accidentally copied by somebody (cut-and-paste). The parlor trick demonstrates a weakness of the pdf format, not MD5. This attack renders MD5 entirely worthless for any use other than as an error check like CRC - and CRC does it better and faster. To be as weak as CRC, the strength would be 2**8. I've seen no papers that reduce MD5 complexity to 2**8. Please present your proofs and actual vulnerabilities, including specific examples of actual PPP CHAP compromised traffic -- and for extra credit, actual compromise of netbsd and/or openbsd software distribution. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PlayStation 3 predicts next US president
William Allen Simpson wrote: > Weger, B.M.M. de wrote: >> See http://www.win.tue.nl/hashclash/Nostradamus if >> you want to know the details of what this has to do >> with cryptography. >> > It always bothers me as these things are announced, > but are based on presumptions that have absolutely no > relevance in the real world > > Therefore, nothing to do with cryptography (which is > not a parlor trick). > >> This implies a vulnerability in software integrity >> protection and code signing schemes that still use >> MD5. See >> http://www.win.tue.nl/hashclash/SoftIntCodeSign for >> details. >> > There is no such MD5 vulnerability implied. As the > paper itself states: > > In cryptographic terms: our attack is an attack on > collision resistance, not on preimage or second > preimage resistance. This implies that both > colliding files have to be specially prepared by the > attacker, before they are published on a download > site or presented for signing by a code signing > scheme. Existing files with a known hash that have > not been prepared in this way are not vulnerable. > > Since this "attack" requires the certifier be > compromised, the attacker could also modify the > program data itself undetectably. That is, this > theoretical problem actually is more effort than the > obvious attack! This attack does not require the certifier to be compromised. The attack was to generate a multitude of predictions for the US election, each of which has the same MD5 hash. If the certifier certifies any one of these predictions, the recipient can use the certificate for any one of these predictions. > In summary, there are exactly zero instances where > this use of MD5 would actually present a > vulnerability. This attack renders MD5 entirely worthless for any use other than as an error check like CRC - and CRC does it better and faster. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
