RE: Possibility to cheat integrity checking?
From: robert_david_graham (robert_david_graham@yahoo.com)Date: 03/14/02
- Previous message: Martin Roesch: "Re: [more specific] Signature vs. Protocol Analysis"
- In reply to: Stephen P. Berry: "Re: Possibility to cheat integrity checking?"
- Next in thread: Shaiful: "RE: Possibility to cheat integrity checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: robert_david_graham <robert_david_graham@yahoo.com> To: "'Stephen P. Berry'" <spb@meshuggeneh.net>, "'robert_david_graham'" <robert_david_graham@yahoo.com> Date: Thu, 14 Mar 2002 16:18:32 -0500
> >MD5 is cryptographically secure: think of as 128-bit
> encryption with SSL.
> This isn't entirely accurate. MD5 isn't an encryption
> algorithm at all;
I should have prefaced with the statement that there are different levels of
answers for newbies and for advanced.
Newbie FAQ: Can't I just alter the file so that the new checksum matches the
original checksum?
Basic answer: No. Unlike standard checksums and CRCs, MD5 is cryptographic.
Cracking MD5 is the same order of difficulty as cracking strong encryption
(i.e. you can't do it).
More complex discussion:
Just because you can't brute-force the MD5 hash doesn't mean you can't hack
it in other ways. Strong crypto is hacked all the time -- people aren't
actually cracking it, they are getting around it. In this case, one way to
get arond MD5 hash checking is to install a rootkit on the system that
provides the original bytes of the changed file to anybody trying to hash
it.
> And in fact weaknesses in MD5 have in fact been found.
Potentional weaknesses have been found in MD5; nobody has found anything
better than brute-force yet, but people suspect that they might eventually
be found. Paranoids should use SHA-1. However, MD5 is faster, which is why
people continue to use it for tripwire-type functions. I trust it. (If the
guiding principle of security was at the expense of everything else, we
would still be using one-time-pads -- MD5 is more practical than SHA-1).
> Actually, I believe the current estimate for initial outlay to obtain
> a brute force solution of a 128 bit hash in under a month is
> US$250000[1].
You are talking about MD5 used in password authentication mechanisms. That's
a different beast than file hashes -- passwords usually have less than
128-bits of entropy. There is, in fact, a program called "MD5crack" for this
purpose.
> 0 The difference is nontrivial. If you could actually use MD5 as
> an encryption algorithm, that would be a -real- Big Win, because
> it would mean you could store any (non-infinite)
> quantity of data in 128 bits of storage.
I meant simply that MD5 was cryptographically "strong" in much the same way
that symmetric ciphers are "strong", not that it was a symmetric cipher.
In any case, you can make symmetric ciphers out of hashes, and you can make
hash algorithms out of symmetric ciphers (indeed, I think one of the
criteria's for AES is that the cipher should be easily useable as a
hash-function as well -- ruling out algorithms like Blowfish that have
expensive key schedules). We aren't talking about compressing the file into
128-bits when we discussing using hashes as symmetric ciphers.
- Previous message: Martin Roesch: "Re: [more specific] Signature vs. Protocol Analysis"
- In reply to: Stephen P. Berry: "Re: Possibility to cheat integrity checking?"
- Next in thread: Shaiful: "RE: Possibility to cheat integrity checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
