* Henning Makholm: > Scripsit Florian Weimer <email@example.com> >> * Jochen Voss: > >>> I found the example at http://www.cits.rub.de/MD5Collisions/ quite >>> impressive. They have two different valid PostScript files with >>> identical MD5 sums. I don't know how much computing time they used, >>> though. > > They claim a few hours: > > | Based on [WY05] and the analysis described in [Da], we implemented > | an attack to find random collisions for the MD5 compression > | function. It took just a few hours on a customary PC. I can no longer recall if this paragraph was present in the original version of the page; I didn't notice it when I read it for the first time. >> None, many of these examples were created before the collision >> generation tools were generally available. > > They did create or use a collision, as anyone can verify simply by > downloading the files. One collision was published by Wang et al. as a zero-knowledge proof of their discovery. I thought they had reused this one, like many others did. >> The "exploit" uses some properties of Postscript files which make >> them not very desirable for storing electronic documents which >> cannot be altered. > > There is absolutely no reason to put the word exploit in scare quotes > here. Strictly speaking, you cannot exploit MD5 itself, you can only exploit security systems that rely on some property of the MD5 function. Let's look what happens in the attack published by the RUB researchers: 1. The attacker creates two Postscript files with the same MD5 hash. 2. The attacker submits one of the file to the victim. 3. The victim views the file in his Postscript viewer, doesn't notice anything strange, and signs it. 4. The attacker obtains the signature, and uses it together with the second file he has created. A successful attack is possible if the following conditions are met: (a) the attacker can create a suitable collision, (b) the victim uses the document supplied by the attacker, (c) the victim only checks one presentation form of the document, and (d) the document is used in a way which does not lead to the victim disputing the signature, and into investigation (which would immediately reveal the attack). It turns out that we can actually do without (a). Have a look at the attached Postscript with your favorite Postscript viewer, and sign it if you agree with its message. 8-) In my opinion, this modified attack strongly suggest that the process described above is already substantially broken. MD5 is just a weak part among others. As a result, the attack doesn't show what people claim. Just be clear: I don't claim everything is alright with MD5. For most applications, you should definitely migrate to something else (what is a different question). But most organization's resources are limited, you can't afford to migrate too often, and you deal with many issues at once. Correctly analyzing the relevance of security issues is very important. Misleading claims about the impact of new attacks are not helpful, may lead to wrong allocation of resources, and prevent more important vulnerabilities from being addressed. > You might want to notice that the "properties" you apparently think > invalidate the example are also shared by many common formats for > software. An ELF binary can easily be crafted to contain a blob of > initialized data whose contents are only used for checking whether to > enable some malicious machine code that is always present - and this > would not be easily detectable at all. In general, any form of malicious code is not easy to detect. But the malicious code must be present in the first place. You can use a MD5 collision to make it dormant, but it has to be there. This means that it's dangerous to commit yourself to the contents of a document, using a digital signature, unless you fully understand the meaning of each byte in the document. >> (Note the "rub.de" part of the URL. A clear warning sign.) > > The nice thing about ad hominem arguments is that you can make them > without ever having to argue the merits of your case. *shrug* The computer security folks at that university started spreading FUD about various security systems, mainly rehashing the work of others. They seem to be in it mostly for the publicity.
Description: PostScript document