[p2p-hackers] SHA1 broken?

Serguei Osokine Serguei.Osokine at efi.com
Thu Feb 17 23:23:27 UTC 2005 

On Thursday, February 17, 2005 Jim McCoy wrote:
> With this attack I could distribute a copy of a crypto library that
> seemed to match the hash it was supposed to have, but which was in
> fact opening you up to certain crypto attacks.

And on Thursday, February 17, 2005 Nick Lothian wrote:
> ...they just release the built .exe without the source (or even 
> better - hack the original download site and replace the original 
> version with their malicious version. If the hashes of the apps 
> matched this could be pretty hard to detect).

	Yes to both; but only if it would be your library to begin with,
because it is essential that the *original* crypto library should have 
"collision data A" - without it, this attack is impossible. 

	And not only that - the *original* crypto library would also have
to have a) the malicious code prepared to be launched (say, granting 
root access or something), and b) the jump to this code that would not
be executed with "data A", but would - with "data B". And all of this 
should be already present and ready for launch in an original library,
the one that would be used by everyone for years and would not do 
anything visibly improper.

	RSA could do this, for sure. Heck, anyone who owns some cryptolib
could do that - who scrutinizes cryptolib sources anyway? And it would
be even simpler if only the binaries are distributed. But if you own a
widely used cryptolib, you have more simple ways to include a backdoor
into your code and to activate it on an innocently looking external 
event - especially if you do not show anyone the sources and distribute
only the binaries. For anyone *but* the original code author, however,
achieving a malicious collision this way would be impossible. 

	So the Bad Charlie Webmaster from Zooko is pretty much out of 
luck - he'd have to conspire with an honest programmer Bob to do any 
harm. And an innocent programmer Bob is quite capable of doing plenty
of harm even without any help and without knowing anything about hash
properties, if he only pretends to be honest long enough. Why would
he want to bring Charlie into his scam?

	Best wishes -
	S.Osokine.
	17 Feb 2005.


	
-----Original Message-----
From: p2p-hackers-bounces at zgp.org [mailto:p2p-hackers-bounces at zgp.org]On
Behalf Of Jim McCoy
Sent: Thursday, February 17, 2005 2:32 PM
To: Peer-to-peer development.
Subject: Re: [p2p-hackers] SHA1 broken?



On Feb 17, 2005, at 2:11 PM, Serguei Osokine wrote:

> On Thursday, February 17, 2005 Nick Lothian wrote:
>> It's not hard to imagine spyware manufactures modifying common
>> opensource applications (eg: p2p software) so they include spyware
>> and yet still have the same hash.
>
> 	Sure, but then they would have to find some innocently looking
> way to include something like this into the open source app:
> [collision data A]
> - which is no big deal, could be a bitmap. However, after that they
> would have to modify the application to use the text above as a jump
> table to a malicious code, which would be dormant in the application
> until the data is changed to:
> [collision data B]

So tell me, when was the last time you ran your SSL library through a 
debugger to determine with complete confidence that the modulii being 
used were not insecure ones?  With this attack I could distribute a 
copy of a crypto library that seemed to match the hash it was supposed 
to have, but which was in fact opening you up to certain crypto 
attacks.

As was pointed out on the crypto list thread zooko referenced, this is 
probably the only practical attack that can be made in this fashion 
right now.  I can replace your crypto modulus, some RNG seeds, and 
other bits of data that are used by applications (and not just 
displayed, like the bitmap you suggest) which are of the "big, 
random-looking number" format.

Jim

_______________________________________________
p2p-hackers mailing list
p2p-hackers at zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences

More information about the P2p-hackers mailing list