MD5 and SHA cracked/broken...
Jason Lai
jmlai at uci.edu
Sun Sep 12 23:02:43 EDT 2004
Paul Rubin wrote:
> Kirk Job-Sluder <kirk at eyegor.jobsluder.net> writes:
>
>>It should also be mentioned that "broken" in terms of Cryptography is a
>>bit different from how we think about computer security in general.
>>"Broken" in this case means that there exists a known algorithm that
>>makes it easier than a brute force attack to violate one or more of the
>>desired properties for a good hash algorithm. It DOES NOT mean that a
>>practical exploit exists for MD5 that permits one to slip a trojan into
>>downloaded files or crack a password file. There are easier ways to
>>plant a trojan than to create an identical MD5 hash, or crack a password
>>file than to try to break preimage resistance.
>
>
> You don't need preimages to plant a trojan. If you can create mere
> collisions, you can create two files, one with a trojan and one
> without a trojan, that have the same md5sum. You publish the
> non-trojan one, people inspect it carefully and start using it, and
> download sites say that its md5sum should be so-and-so. Now you can
> replace the non-trojan file with the trojan version and the md5sum
> will still verify.
Even if you find a collision, wouldn't it be highly likely that one
version wouldn't be a usable program? I'd think that generating two
valid programs -- not necessarily ones that do anything useful -- with
the same MD5sum would be exceedingly difficult, even with all sorts of
padding tricks. Not to mention that people expect tars or zip files.
As I understand it, that's the definition of "second preimage resistence."
- Jason Lai
More information about the Python-list
mailing list