Re: MD5 collisions found - alternative?
On Wed, Aug 25, 2004 at 12:39:57AM +0200, Rolf Kutz wrote:
> If you can calculate a collision from the hash and
> the known password, that would be a lack off
> collision resistance.
Is knowing the password really a prerequisite? I'd have said that if
you can find a collision at all, or calculate a collision for a given
hash, that would be lack of collision resistance...
> The difference between a hash for a signature and
> a hash for a password is that you know the plain
> text in the first case.
Sure. But does it really make such a difference for finding a
collision, if you know the plaintext, rather than its hash? The
latter can always be computed trivially in the usual forward fashion.
(Just asking out of curiosity, not to argue in any direction
> > documents, you'd probably have some very specific message in mind (at
> > least not some random string) that you'd like to fake as originating
> > from someone else.
> This depends on how the attack really works. If
> you just need to flip a few bits in a document it
> might just look like typos (think crc32). If your
> document is a tarball or a .deb you might be able
> to insert a lot of "garbage" to it without being
I agree, in general. OTOH, if you have something like a tar.gz file,
I'd presume it's rather challenging to make some change to the content
being packaged in such a way that both tar.gz's still have the same
md5, same size -- and unpack without error. And even more challenging,
if that change is supposed to achieve a certain predefined effect... ;)