[Dshield] Digital sigs cracked

Chris Brenton cbrenton at chrisbrenton.org
Thu Jun 16 22:08:55 GMT 2005


On Thu, 2005-06-16 at 14:25, Don Jackson wrote:
>
> Several things mitigate the impact of collisions in these algorithms,
> once cryptanalysts step out of the lab and into the real world.
> 
> One is that they chose the message format and crafted it
> specifically to meet their requirements. Outside the lab, the
> message format is not at the attacker's discretion.

Totally agree. I did not mean to imply the sky is falling, only that its
a lot lower than it used to be. ;-)

If you think of it from a time line perspective, MD5 was created 1992.
It took till the fall of last year to actually prove that the
theoretical collisions in MD5 actually existed. Now in a *very* short
period of time someone has taken that work and applied it to a practical
application. I'm guessing it will not be long before people adapt this
work to other applications. So we know MD5 is not long for this word,
the problem is we might have even less time than we think.

> Another is that hash functions provide only message
> integrity.  The digital signatures aren't cracked, just the
> hashing algorithms themselves.  Authentication is not addressed.

Agreed although its a house of cards. If the hash function is suspect
than the whole thing falls apart. There are a lot of security functions
that rely on the integrity of the hash. Again, I can see this quickly
being adapted to other applications, not just digital signatures. So to
me its not so much about this individual hack, as it is that it hits at
how bad this can get if its not rectified quickly.

> The last one I'll go into (related to message format) is that
> it's much harder to do this when the message itself is
> compressed or encrypted.  You'd have to reverse that
> function and change the file in such a way that it the
> re-compression or re-encryption produces output that
> matches Dr. Wang's criteria.  Sounds like a thesis to me.

Encryption I would agree. Compression... have to think that one over for
a bit. 

> Yes!  Likely opportunities to use this research for Bad are where
> the hash is used by itself (no authentication) such as P2P networks
> or as MD5 sums posted on download sites.

Not to mention RPM distributions and all the other inventive ways we've
come up with to use MD5 to validate file integrity. Again, could get
scary.

> This research group only actually produced a duplicate MD5 sum
> using the Postscript file, not a SHA-1 hash code, although I do not
> doubt that they will offer a proof of concept attcking SHA-1 as well.

Agreed. I give it a few months max. ;-)

> The scenario with the intern (see article linked to in original post)
> would not be a direct result of the attacks demonstrated.  It
> borders on sensationalism -- if there is such a thing in the mind of
> a cryptologist.  :)

I think the author was looking for an example that the average reader
could relate to. I'm more worried about applying this to other
applications like the modular Trojans we've been seeing as of late. This
*could* provide the possibility of a hash verified binary that actually
has been modified to include a call to additional code which is
malicious in nature. Again, scary stuff.

Thanks for the re!
Chris





More information about the list mailing list