Scripsit Florian Weimer <[EMAIL PROTECTED]> > * Jochen Voss: >> I found the example at http://www.cits.rub.de/MD5Collisions/ quite >> impressive. They have two different valid PostScript files with >> identical MD5 sums. I don't know how much computing time they used, >> though.
They claim a few hours: | Based on [WY05] and the analysis described in [Da], we implemented | an attack to find random collisions for the MD5 compression | function. It took just a few hours on a customary PC. > None, many of these examples were created before the collision > generation tools were generally available. They did create or use a collision, as anyone can verify simply by downloading the files. Whether or not they used a generally available tool is not important to the fact that a collision was actually generated. > The "exploit" uses some properties of Postscript files which make > them not very desirable for storing electronic documents which > cannot be altered. There is absolutely no reason to put the word exploit in scare quotes here. You might want to notice that the "properties" you apparently think invalidate the example are also shared by many common formats for software. An ELF binary can easily be crafted to contain a blob of initialized data whose contents are only used for checking whether to enable some malicious machine code that is always present - and this would not be easily detectable at all. The only thing that would seem to make it less than straightforward to craft a similar attack consisting of two different .deb files with the same MD5 sum of which one behaves maliciously, is the need to trick the CRC-32 in the gzip trailer for data.tar.gz simultaneously with tricking MD5. But a CRC-32 is, to put it mildly, not much of a defense against a determined attacker! All it takes to beat *that* is finding at most 33 different MD5 single-block collisions in sequence; it is then a matter of extremely simple linear algebra find a nontrivial combination of them that cancel out each other's effect on the CRC. Note that the gzip compression format allows blocks of compressed data to specify use of the "no compression" algorithm, so injecting your collisions in a gzipped data stream is trivial, too. > (Note the "rub.de" part of the URL. A clear warning sign.) The nice thing about ad hominem arguments is that you can make them without ever having to argue the merits of your case. -- Henning Makholm "I always thought being *real* sad would be *cooler* than acting *fake* sad, but it's not. It's not cool at *all*." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]