[16015] in cryptography@c2.net mail archive
Re: How thorough are the hash breaks, anyway?
daemon@ATHENA.MIT.EDU (Daniel Carosone)
Thu Aug 26 19:18:11 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 27 Aug 2004 07:40:23 +1000
From: Daniel Carosone <dan@geek.com.au>
To: "Trei, Peter" <ptrei@rsasecurity.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <017630AA6DF2DF4EBC1DD4454F8EE297161734@rsana-ex-hq1.NA.RSA.NET>
--gdTfX7fkYsEEjebm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Aug 26, 2004 at 11:09:49AM -0400, Trei, Peter wrote:
> Looking over the recent work on hash collisions, one
> thing that struck me was that they all seem to be=20
> attacks on known plaintext - the 'plaintexts' which
> collided were very close to each other, varying in=20
> only a few bits.=20
Yep, so far.. but lets assume for the moment that's as far as they
will go, however nervous it makes us about future extension of the
break.
> It allows you (if you're fortunate) to modify a signed
> message and have the signature still check out.=20
> However, if you don't know the original plaintext
> it does not seem to allow you construct a second
> message with the same hash.
True. Even if you know the plaintext, many of the messages you might
want to tamper with have some sort of internal consistency constraints
(structured file formats, executable code for a particular
architecture, etc) that limit the possibilities of a useful attack.
There is one application of hashes, however, that fits these
limitations very closely and has me particularly worried:
certificates. The public key data is public, and it's a "random"
bitpattern where nobody would ever notice a few different bits.
If someone finds a collision for microsoft's windows update cert (or a
number of other possibilities), and the fan is well and truly buried
in it.
--
Dan.
--gdTfX7fkYsEEjebm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
iD8DBQFBLljHEAVxvV4N66cRAhcRAKCbYIRbclOwJPv0NHNxqq8Js10hyACgx7oD
lwLEoaUyya74IBFtJe1fTP8=
=ALWp
-----END PGP SIGNATURE-----
--gdTfX7fkYsEEjebm--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
