Re: MD5 Collisions...

On Tuesday 04 December 2007 10:43:45 am Eygene Ryabinkin wrote:
Josh, good day.

Tue, Dec 04, 2007 at 10:10:32AM -0600, Josh Paetzel wrote:
The usefullness of this with application to the ports collection
is questionable, since you should make two colliding archives and
both of them should be unpackable and the second should do some
evil things. But strictly speaking, there are attacks producing
files with the same size and MD5 hash.

http://www.cits.rub.de/MD5Collisions/ is also a good reading.

It's not really questionable....for all practical purposes it's
worthless. In order to generate meaningful same-length collisions you
need control of the original file. (Your links go to lengths to explain
this...) In the case of a ports distfile if you have control of the
original file you really don't need to go to great lengths to generate
collisions, you can simply toss your malicious content in there right
from the get go.

Yes, thanks for clarifying the point that one should be able to control
both sequences in order to produce colliding files with the same size.

But there is at least one scenario, when such attack is useful, if
one will be able to produce two colliding source archives. Suppose,
I am providing a port with new sources (either the new port or an
update to the current one) and I am controlling the source tarballs.
The sources will be supposedly reviewed by some parties and they
will find no backdoors in it. So the port comes in the systems and
it is thought to be good and useful.

Once the port proved itself, I am replacing the good source tarballs
with the evil ones (remember, I had prepared two colliding archives)
and no one will notice the difference with MD5 + size check. But new
port installations will be doing something different from the sources
that were reviewed.

Again, this is only theoretical thing with many preconditions, but
if I am able to make two colliding archives, then other things are
not very hard to achieve. People are producing colliding X.509
certificates, so we have an example of not 'just junk colliding
content', but something meaningful.

I am not going to flame about the real possibility of doing these
for many reasons, and the first one that it is no longer doable for
the current ports where SHA256 is in the game. All I wanted to say
that there are scenarios where one can exploit MD5 weakness, providing
one can extend MD5 collision attacks to archives.

Shutting up.

Well, your point is well made, correct, and a realistic scenario (depending on
your paranoia level)

I totally agree with the original links posted. We know MD5 has problems,
it's only a matter of time before a really significant one is discovered,
therefore it makes sense to avoid using it whenever possible even if the
current problems don't seem to affect your use-case.


--
Thanks,

Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB

Attachment: signature.asc
Description: This is a digitally signed message part.

Relevant Pages

  • Re: MD5 Collisions...
    ... order to generate meaningful same-length collisions you need control of the ... both sequences in order to produce colliding files with the same size. ... I am providing a port with new sources (either the new port or an ... I had prepared two colliding archives) ...
    (FreeBSD-Security)
  • Re: un-hashing to reveal pass phrase [was: crypto sms]
    ... the entropic quantity is known this limits the number of possible passphrase ... By focusing only on the extremely limited MD5 which can hold more ... but the show collisions in MD5 in 15 ... Because there is only one colliding value, ...
    (sci.crypt)
  • Re: CryptoCritic Blowhards Dumber than a Dopey Housewife ? -- un-hashing to reveal pass phrase [was
    ... > limited MD5 which can hold more entropy than is in the passphrase the ... > papers have been officially published, but the show collisions in MD5 ... Because there is only one colliding value, ...
    (sci.crypt)