[Dshield] Digital sigs cracked

Don Jackson dwjackson at bcbsal.org
Thu Jun 16 18:25:56 GMT 2005

>>>> cbrenton at chrisbrenton.org 6/16/2005 12:16 PM >>>
>On Thu, 2005-06-16 at 10:34, Don Jackson wrote:
>> The odds that these messages could be construed as
>> meaningful -- that is, that they are low-entropy, structured
>> using a format or syntax for communication that makes
>> sense to any person or system -- is infinitesimal!
>I'm guessing you did not read the entire article because that is exactly
>what they did. The researchers digitally signing a valid postscript
>file, changed it, and generating the exact same hash signature while
>still retaining a functional postscript structure. So we're not talking
>theory here, they proved its possible. 

Several things mitigate the impact of collisions in these algorithms,
once cryptanalysts step out of the lab and into the real world.

One is that they chose the message format and crafted it
specifically to meet their requirements. Outside the lab, the
message format is not at the attacker's discretion.

Another is that hash functions provide only message
integrity.  The digital signatures aren't cracked, just the
hashing algorithms themselves.  Authentication is not addressed.
This is not a problem for Dr. Wang crafting files for himself in the
lab.  People using digital signatures need to do realize that both
are vital to a valid signature, otherwise, they are are using
cryptography for fun and actually placing themselves at risk
by not verifying both.

The last one I'll go into (related to message format) is that
it's much harder to do this when the message itself is
compressed or encrypted.  You'd have to reverse that
function and change the file in such a way that it the
re-compression or re-encryption produces output that
matches Dr. Wang's criteria.  Sounds like a thesis to me.

>Now granted, what it comes down to is they only changed a single line in
>the file. IMHO this is still pretty major as it opens up some scary
>possibilities. Can I modify a binary to include a call to an external
>malicious program and still generate the same digital signature? Based
>on this research it certainly seems possible.

Yes!  Likely opportunities to use this research for Bad are where
the hash is used by itself (no authentication) such as P2P networks
or as MD5 sums posted on download sites.

However, because it's limited to hash functions only, code-signing
with digital certificates, etc., will not be affected transparently.

This research group only actually produced a duplicate MD5 sum
using the Postscript file, not a SHA-1 hash code, although I do not
doubt that they will offer a proof of concept attcking SHA-1 as well.
The scenario with the intern (see article linked to in original post)
would not be a direct result of the attacks demonstrated.  It
borders on sensationalism -- if there is such a thing in the mind of
a cryptologist.  :)

*** *** *** *** *** *** *** *** *** ***
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited.  If you receive this e-mail in error, please notify me immediately by replying to this e-mail.
*** *** *** *** *** *** *** *** *** ***

More information about the list mailing list