MD5 To Be Considered Harmful Today

From: Pavel Machek (pavel_at_ucw.cz)
Date: 12/08/04

  • Next message: Martin Schulze: "[SECURITY] [DSA 606-1] New nfs-utils packages fix denial of service"
    Date: Wed, 8 Dec 2004 02:39:41 +0100
    To: Dan Kaminsky <dan@doxpara.com>
    
    
    

    Hi!

    > I've been doing some analysis on MD5 collision announced by Wang et al.
    > Short version: Yes, Virginia, there is no such thing as a safe hash
    > collision -- at least in a function that's specified to be
    > cryptographically secure. The full details may be acquired at the
    > following link:

    Yes, nice paper, and here you have nice story:

    Okay, lets have two friends and one horse. Let's say Pavel and
    Bara. Bara owns a horse, and needs money, so she wants to sell
    it. Horse has some problems with its back, and Bara would be willing
    to sell it for around $1300. Therefore she's quite surprised when
    Pavel offers her $14000, and agrees immediately.

    From: Pavel
    To: Bara

    Hi!

    I'd like to buy Fita. If you accept my offer (msg1), just sign and
    send it back.

    :~/misc/md5$ cat msg1
    I agree to sell you my horse ^Fita^, its saddle and harness for price 14000 dollars. Signed Bara

    :~/misc/md5$ md5sum msg1
    57ce330a6c6ca8e9ffab4f3b36b2a1a5 msg1
    :~/misc/md5$

    (Bara signs msg1 and sends it back to Pavel). Two days later, Pavel
    comes with a car, and $1000. Bara denies she offered Fita for $1000,
    but can not find copy of the e-mail exchange. Fortunately Pavel has a
    copy with him, digitaly signed by Bara. They view it on her computer,
    and verify the signatures. At that point Bara agrees she probably made
    a mistake, and accepts $1000...

    :~/misc/md5$ cat msg2
    I agree to sell you my horse ^Fita^, its saddle and harness for price 1000 dollars. Signed Bara

    :~/misc/md5$ md5sum msg2
    57ce330a6c6ca8e9ffab4f3b36b2a1a5 msg2
    :~/misc/md5$

    (With apologies to Bara; let's hope she'll never find out).

                                                                    Pavel
    PS: I tried it on linux console, and it does some nasty terminal
    tricks. Of course, if Bara investigated, she'd probably found out
    how...

    -- 
    People were complaining that M$ turns users into beta-testers...
    ...jr ghea gurz vagb qrirybcref, naq gurl frrz gb yvxr vg gung jnl!
    
    
    




  • Next message: Martin Schulze: "[SECURITY] [DSA 606-1] New nfs-utils packages fix denial of service"