[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#788783: openssh-client: uses MD5 for key fingerprints



severity 788783 normal
kthxbye

On Wed, Jun 17, 2015 at 12:01:09PM +0100, Mark Wooding wrote:
> The best technique I can think of uses Kelsey and Schneier's expandable
> messages, which uses collisions in the underlying compression function
> to obtain a second preimage for the hash of a /very long/ original
> message.  Because the original message is very long, there are lots of
> likely distinct chaining values obtained while hashing it.  So the
> strategy is to look for collisions between these and intermediate values
> for your second-preimage message, so effectively you're searching for
> second preimages at the compression-function level, and get to count all
> of the applications of the compression function used to compute the hash
> of the challenge message towards your attack.  But all of this still
> requires about 2^{128} compression-function applications total.
> 
> There's a slight problem.  You can't just stick the appropriate suffix
> of the target message onto the end of your second-preimage prefix,
> because there's a length in the final block.  This is where the
> expandable messages come in, and this is where MD5's lack of collision
> resistance becomes significant: you look for a lot of collisions between
> message fragments of different lengths[1], so you can stitch them
> together to pad out the prefix to whatever length you need for the final
> block to come out right.

It looks like I misread OpenSSH's key handling code, in that I missed
the check for too many MPIs.  That makes the chosen prefix attacks from
Kuznetsov/Stevens less useful in this particular case.  So I agree that
in this case it is probably not sufficiently easy to be interesting,
although I think we're both in agreement that MD5 should go away fast.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature


Reply to: