[23080] in cryptography@c2.net mail archive
MD5 trick
daemon@ATHENA.MIT.EDU (vlastimil.klima@volny.cz)
Tue Apr 18 10:33:35 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: vlastimil.klima@volny.cz
To: cryptography@metzdowd.com
Date: Tue, 18 Apr 2006 08:13:45 +0200 (CEST)
The trick could be shortly expressed as follows:
"Give me three files and I will give you another three with the
same MD5 hash"
Of course, it is a trick. Yesterday I updated my paper=20
"Tunnels in Hash Functions: MD5 Collisions Within a Minute"
(http://eprint.iacr.org/2006/105.pdf)=20
and MD5 collision program
(http://cryptography.hyperlink.cz/2006/web_version_1.zip).
Now, the average time of MD5 collision is 17 seconds=20
on PC Intel Pentium 4 (3.2 MHz).
I asked Ondrej Mikle to write the program "pack3".=20
Thanks to him, you can find the progrm on
http://cryptography.hyperlink.cz/2006/selfextract.zip =20
Usage: pack3 file1 file2 file3 file4 file5 file6 will=20
create two packages, package1.exe and package2.exe.=20
Both will have the same MD5 sum, while=20
package1.exe will extract files 1-3=20
and package2.exe will extract files 4-6.
It enables attacking SW distribution process for instance. A
department, distributing SW (to clients, web, etc.) could
distribute package2, whilst it is signed by SW developing
department as package1.
The trick is here very easy, because it is the attacker, who
creates colliding packages.=20
A toy scenario:=20
The SW development department sends the source to the distributing
department. It adds a readme or help files and returns the complete
package (package1) to the SW development department. Of course, SW
development department runs package1.exe and checks byte by byte
that the original source files aren=B4t changed. Now it signs it.
Another one:=20
The third party prepares a contract. The contract is sent to both
buyer (package1) and seller (package2) and signed by both parties.=20
The structure of package1,2 is trivial. The first part is common,
the second part contains colliding blocks and the third part
contains the table of files file1 file2 file3 file4 file5 file6.
Package.exe decompresses file1 file2 file3 or file4 file5 file6
according to a specified bit value in the second part.=20
Because now it is very quick to generate MD5 collision for any
chosen IV, it is possible to write the first part arbitrarily and
then generate a collision.=20
Note that the number of files could be arbitrary and there are more
clever scenarios. The program serves only as a toy example how to
get arround the necessity of creating the second preimage.
Vlastimil Klima
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
