Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

[Marshall Eubanks <tme () multicasttech com>]

On Jan 3, 2009, at 12:46 PM, Frank Bulk wrote:

> For me the MD5 hashes on file downloads are more valuable to ensure  
> the
> package is accurate to a byte rather than to verify its authenticity  
> or
> integrity.
>
> Wouldn't listing both SHA-1 and MD5 hashes for a file download  
> assure almost
> complete confidence that the file is the original one?  I don't  
> think anyone
> has been able to create a duplicate file that generates the same  
> SHA-1 *and*
> MD5 hashes as the original file.

I would not be too sure. MD5 only makes one pass over the data.

Suppose that I find two messages, M1 and M2, that have the same MD5  
hash - there are methods out there to do that.

M1 is the good message, M2 is the bad message.

Let "||" be the concatenation operator.

So, for any string S

M1||S and M2||S have the same MD5 hash.

So, if I can find an S such that the SHA-1 hash for M1||S and M2||S
are the same, the MD5 hashes for these messages will still be the  
same, and you
have your feared condition.

My understanding is that one type of collision search involves using  
an S
and trying to find collisions of
M1 and M2||S by varying S. Modifying this to a common S does
not seem that different, and I would not want to bet a lot on it being  
fundamentally much
more difficult. (It might be, it might not be, I have no idea, the
question is, how much are you willing to bet on it ?)

Regards
Marshall


Regards
Marshall

> Frank
>
> -----Original Message-----
> From: Florian Weimer [mailto:fw () deneb enyo de]
> Sent: Saturday, January 03, 2009 10:23 AM
> To: Skywing
> Cc: NANOG
> Subject: Re: Security team successfully cracks SSL using 200 PS3's  
> and MD5
> flaw.
>
> > Then again, I just got yet another Debian DSA mail which has
> > plaintext download links for new binaries.  The integrity
> > verification mechanism for said binaries is, you guessed it:
> > PGP-signed md5sums.
>
> I can assure you that you will continue to receive these messages for
> a while (unless you unsubscribe from the relevant mailing lists).
>
> Our rationale is that in order to carry out currently known attacks on
> MD5, you need to create a twin of documents, one evil and one
> harmless.  In Debian's case, we prepare the data we sign on our
> trusted infrastructure.  If someone can sneak in an evil twin due to a
> breach, more direct means of attack are available.
>
> In practice, the download links themselves are the larger problem
> because users might use them without checking anything.  Eventually,
> they will go away, together with the MD5 hashes.  Newer versions of
> APT also use the SHA-256 checksums embedded in the Release and
> Packages files.