Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re^6: On showing the weakness in the MD5 digest function and getting bitten by scalar context

by BrowserUk (Pope)
on Aug 27, 2004 at 22:06 UTC ( #386506=note: print w/ replies, xml ) Need Help??


in reply to Re^5: On showing the weakness in the MD5 digest function and getting bitten by scalar context
in thread On showing the weakness in the MD5 digest function and getting bitten by scalar context

Maybe I am? Did you find something somewhere that suggested that they could start with an md5 and generate a plaintext with that md5?

What I read, led me to believe that what they were saying is that they had discovered a way to take one piece of plain text, generate its md5, and then by manipulating the original plaintext, generate another plaintext with the same md5.

But note. If I read it right, they need the original text to produce the new one.

For password applications, this means they would need the original password in order to produce another piece of text that had the same md5. But why bother when you have the original password?

So what other vulnerabilities arise from this discovery? If they start with the source or binary of some application that is downloadable and is checksummed with md5. They produce a modified version of that binary with the same md5. Will it run? Will it open a known port and listen for mother? Will it monitor the keyboard for passwords?

Or, they have the text of an important message and it's md5. They produce a different message with the same md5. Will it cause the bank to transfer funds to their bank account? Or recall the nuclear bombers? Instruct the enemies operative in Washington to fall into the counter espionage trap at the cafe? Will it even be readable as English (French, German, Chinese or Swahili)?

If the md5 is being used to stop them from knowing the text it was generated from (password), and they need to know that password to exploit the md5--no vulnerability.

If there is open access to the plaintext, and the md5 is designed to ensure that the plaintext hasn't been altered, they can produce another plaintext with the same md5, but will it make any sense? Never mind actually do anything subversive, or to their advantage.

Maybe I misunderstood what I read? Maybe, there is an application that allows the fact the the alternative plaintext is gibberish to be ignored and compromise something?


Examine what is said, not who speaks.
"Efficiency is intelligent laziness." -David Dunham
"Think for yourself!" - Abigail
"Memory, processor, disk in that order on the hardware side. Algorithm, algorithm, algorithm on the code side." - tachyon


Comment on Re^6: On showing the weakness in the MD5 digest function and getting bitten by scalar context
Re^7: On showing the weakness in the MD5 digest function and getting bitten by scalar context
by Anonymous Monk on Aug 28, 2004 at 22:16 UTC
    Maybe I misunderstood what I read? Maybe, there is an application that allows the fact the the alternative plaintext is gibberish to be ignored and compromise something?
    Don't know if I got that correctly, but sabotaging a p2p network could be such an application. If a p2p network uses hashes to identify files, you could use this weakness to supply gibberish data (parts) to prevent successful downloads.

      Yes, I think that would work.

      A workaround might be quite easy though.

      Produce 2 md5s. One from the whole file and another from the file minus 1 byte (first, last or middle). Or make the second md5 just the first half of the file; or from just the 10th, 20th, 30th etc. bytes (or whichever bytes the attack modifies to compromise the md5).

      Now the attackers not only have the task of finding a duplicate file with the same md5, they have to produce one that matches two md5s.

      Again, my math lets me down, but doesn't that make their job much, *much* harder?


      Examine what is said, not who speaks.
      "Efficiency is intelligent laziness." -David Dunham
      "Think for yourself!" - Abigail
      "Memory, processor, disk in that order on the hardware side. Algorithm, algorithm, algorithm on the code side." - tachyon

        Yes, it's probably possible to come up with a workaround that would allow us to continue using MD5 securely, much like triple DES allows us to keep using DES. Now that there's a good alternative to DES, though (namely AES), there's no reason to keep using triple DES (which is slow). There's already a good alternative to MD5, so there's no reason to kludge up a workaround.

        Note that nobody ever uses double DES. That's because it is vulnerable to a meet-in-the-middle attack. Secure workarounds are hard to design.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://386506]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (9)
As of 2014-07-30 03:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (229 votes), past polls