[p2p-hackers] SHA1 broken?
Zooko O'Whielacronx
zooko at zooko.com
Thu Feb 17 20:30:55 UTC 2005
This topic -- whether collision-resistance is or is not necessary for
secure identification of content -- has been discussed extensively on
the cryptography at metzdowd mailing list recently. Ben Laurie started it
with a post entitled "The pointlessness of MD5 attacks". Here is my
contribution to that discussion:
http://thread.gmane.org/gmane.comp.encryption.general/5717
This note I posted alludes to this kind of situation:
Bob, the honest and noble software maintainer, writes a good piece of
software, S1, and then asks Charles the Malicious Multimedia Master to
give him an icon to include in the package. Charles writes some
malicious software S2, and then finds an icon I1 and another icon I2
such that MD5(B1) == MD5(B2), where B1 is the binary package resulting
from packaging software S1 and icon I1, and B2 is the binary package
resulting from packaging software S2 and icon I2. Charles then gives
I1 to Bob, who compiles B2 himself. Charles generates T1 == MD5(B1),
and distributes B1, telling Alice "Please verify that the binary
package you download and run matches the hash T1.".
Charles sends Alice a copy of binary software package B2, who verifies
that MD5(B2) == T1, and then trusts the binary package as though it
were a package that Bob wrote.
Now to be clear: I don't know if the current attacks on MD5 and SHA1
enable Charles to do this! Because I don't know if those attacks can
be used when there is a fixed IV or a fixed part of the message which
is chosen by someone (Bob) other than the attacker (Charles).
However, I do know that if a hash is collision-resistant then the
situation outlined above cannot occur, but that if a hash is
non-collision-resistant, then the situation outlined above *might* be
possible, even if the hash is second-preimage resistant.
I guess the challenge presented to Charles in the situation outlined
above occupies a sort of middle ground between collision-resistance and
second-preimage-resistance. The HMAC challenge occupies another niche
in that middle ground -- in the situation described above, Charles is
given a fixed IV or a fixed part-of-the-message. In the HMAC
situation, Charles is faced with an IV which is random and unknown to
him.
Regards,
Zooko
More information about the P2p-hackers
mailing list