Hi Eric, Technically speaking you're correct, they're signing a program. But most people, certainly non-techies like Alice's boss, view postscript (or MS Word, or <name your favourite document format that allows macros>) files not as programs but as static data. In being targeted at non-techies I find this attack more convincing than those of Mikle and Kaminsky, though essentially it's a very similar idea.
Note that opening the postscript files in an ASCII-editor (or HEX-editor) immediately reveals the attack. Stefan Lucks told me they might be able to obfuscate the postscript code, but again this will only fool the superficial auditor. Grtz, Benne ========================================= Technische Universiteit Eindhoven Coding & Crypto Groep Faculteit Wiskunde en Informatica Den Dolech 2 Postbus 513 5600 MB Eindhoven kamer HG 9.84 tel. (040) 247 2704, bgg 5141 e-mail: [EMAIL PROTECTED] www: http://www.win.tue.nl/~bdeweger ========================================= > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Rescorla > Sent: maandag 13 juni 2005 17:05 > To: Stefan Lucks > Cc: cryptography@metzdowd.com > Subject: Re: Collisions for hash functions: how to exlain > them to your boss > > Stefan Lucks <[EMAIL PROTECTED]> writes: > > Magnus Daum and myself have generated MD5-collisons for > PostScript files: > > > > http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/ > > > > This work is somewhat similar to the work from Mikle and > Kaminsky, except > > that our colliding files are not executables, but real documents. > > > > We hope to demonstrate how serious hash function collisions > should be > > taken -- even for people without much technical background. > And to help > > you, to explain these issues > > > > - to your boss or your management, > > - to your customers, > > - to your children ... > > While this is a clever idea, I'm not sure that it means what you imply > it means. The primary thing that makes your attack work is that the > victim is signing a program which he is only able to observe mediated > through his viewer. But once you're willing to do that, you've got a > problem even in the absence of collisions, because it's easy to write > a program which shows different users different content even if you > without hash collisions. You just need to be able to write > conditionals. > > For more, including an example, see: > http://www.educatedguesswork.org/movabletype/archives/2005/06/ > md5_collisions.html > > -Ekr > > > > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]