[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: use of md5sum for tally sheet

On Sat, Apr 08, 2006 at 12:28:24AM +0200, Arthur de Jong wrote:
>   echo "adejong FOO" | md5sum

The hack allows you to come up with two strings:

     "adejong FOO"


     "adejong BAR"

where FOO and BAR are essentially garbage, but /different/ garbage, that have
the same md5sum. But what you need in order to exploit the tally sheet is
to have

      "adejong FOO"
      "ajt BAR"

end up with the same md5sum, so that you only need one line in the
tally sheet to represent our votes (which have to have been the same),
so that you can then add your own dummy vote however you choose.

TTBOMK, no one knows how to do that; and it's a pretty major step up from
even the current exploit. 

(I talked to Manoj about this earlier, and he thought it best to shift
to a better hash next time round, rather than change the verification
in the middle of a vote, which seemed reasonable)

FWIW, that's only exploitable when people vote exactly the same, which isn't
actually /that/ common; last year, with six candidates and 504 votes, there
were only 60 votes that were duplicates of another.


Attachment: signature.asc
Description: Digital signature

Reply to: