On 12/14/04, [EMAIL PROTECTED] (Ben Laurie) wrote:
Dan Kaminsky's recent posting seems to have caused some excitement, but I really can't see why. In particular, the idea of having two different executables with the same checksum has attracted attention.
But the only way I can see to exploit this would be to have code that did different things based on the contents of some bitmap. My contention is that if the code is open, then it will be obvious that it does "something bad" if a bit is tweaked, and so will be suspicious, even if the "something bad" is not triggered in the version seen.
So, to exploit this successfully, you need code that cannot or will not be inspected. My contention is that any such code is untrusted anyway, so being able to change its behaviour on the basis of embedded bitmap changes is a parlour trick. You may as well have it ping a website to find out whether to misbehave.
One scenario that might form an attack is to take code which is normally distributed in executable form, for example RPMs, and make it possible to have two different programs that pass the same signature check. Given that someone has arranged to have the doppleganger blocks generated as part of the output of the compiler, different binaries can later be injected into the distribution system without a signature verification failure.
Indeed, but what's the point? If you control the binary, just distribute the malicious version in the first place.
People seem to be having a hard time grasping what I'm trying to say, so perhaps I should phrase it as a challenge: find me a scenario where you can use an MD5 collision to mount an attack in which I could not mount an equally effective attack without using an MD5 collision.
So, for example, in the scenario above, the attacker has control of a binary in which he can insert arbitrary content. Clearly, in his place, I can simply distribute malware without any MD5 collisions.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]