RE: TCP/IP CRC question

[Simon Zuckerbraun <szucker () sst-pr-1 com>]

Clement,

Could you explain this for me a little more? I don't yet understand the 
scenario. If the attacker is able to alter the data within the packet, I 
would think that he'd also be able to alter the checksum to correspond. 
In what scenario does the attacker have a need to find a collision?

Where have I gone wrong?

Thanks,
Simon

-----Original Message-----
From: Clement Dupuis [mailto:cdupuis () cccure org]
Sent: Friday, October 08, 2004 5:40 PM
To: miles () mstevenson org
Cc: security-basics () securityfocus com
Subject: RE: TCP/IP CRC question


Good day to all,

Lately I had a similar conversation with William Stearns and Joshua 
Wright on CRC32 attack on wireless network.  We always hear about 
potential attack that are possible but rarely see example of a 
collision.  Joshua wrote a brute forcer that allowed him to find a 
collision as follows for an SQL update statement:

-----------------------------------------------------------
"UPDATE payroll SET wage = 10.75 WHERE empno = 11"

This is what I'm going to call the "intended data", with a CRC of 
0x954f8133.  The adversary-modified data removes the decimal point and 
changes the employee number to 18, terminating the SQL and added a 
comment to the UPDATE statement:

"UPDATE payroll SET wage = 1075 WHERE empno = 18; --   pN#j,"

Which has a matching CRC as the previous statement.
----------------------------------------------------------------


Although not common, there are ways to get the same CRC32 values or a 
collision if someone really wanted to attempt an attack.  It only 
requires a bit of programming and patience.

Clement