md5 collision - Security

This is a discussion on md5 collision - Security ; Unruh wrote: > matt_left_coast writes: > >>Peter Pearson wrote: > >>> matt_left_coast wrote: >>> >>>> Unruh wrote: >>>> >>>>>>When dealing with the first case, you create the first of the two >>>>>>files, then the file IS known. Then you would ...

+ Reply to Thread
Page 3 of 4 FirstFirst 1 2 3 4 LastLast
Results 41 to 60 of 77

Thread: md5 collision

  1. Re: md5 collision

    Unruh wrote:

    > matt_left_coast writes:
    >
    >>Peter Pearson wrote:

    >
    >>> matt_left_coast wrote:
    >>>
    >>>> Unruh wrote:
    >>>>
    >>>>>>When dealing with the first case, you create the first of the two
    >>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>second case.
    >>>>>
    >>>>> But you have to create them together. You cannot create one and then
    >>>>> make another which has the same md5.
    >>>>
    >>>> Exact process, please.
    >>>
    >>> The logic here escapes me. Unruh appears to be claiming that
    >>> you cannot do something ("cannot create one and then make
    >>> another which has the same md5"), and matt_left_coast appears
    >>> to be asserting that Unruh should support that claim by
    >>> detailing how to do something. You cannot show that something
    >>> is impossible by showing how to do something. If
    >>> matt_left_coast wishes to claim that one can find a preimage
    >>> to a given hash, it's up to him to specify how.
    >>>
    >>> A recent paper on md5 attacks is "Improved Collision Attack on MD5"
    >>> by Yu Sasaki, Yusuke Naito, Noboru Kunihiro, and Kazuo Ohta,
    >>> available at http://eprint.iacr.org/2005/400.pdf. The procedure
    >>> is outlined in section 3.4. While the details are not essential
    >>> to this discussion, the alert reader will note that the attack
    >>> does *not* produce a preimage for a given hash, but rather produces
    >>> a pair of messages whose hashes match. Unruh is quite right.
    >>>

    >
    >>Are the two files useful for ANYTHING? What are you going to do, put up
    >>one of the files for download and swap it for the other? Yeah, you can
    >>generate virtually random files that have the same MD5 value but what is
    >>the use? It is a meaningless exercise in mental masturbation. Other than
    >>to prove it can be done, what use is it? Can you come up with a truly
    >>useful "attack" that could be based on this?

    >
    > No. The two files can contain some random parts, but that can be hidden in
    > many file formats. Ie, it is easy to create two different word files which
    > have some random junk in the file area which is not used by word to create
    > the text such that the two files have the same md5 hash.
    >


    In other words, two meaningless files. There is no reason to do this other
    than to prove it can be done.

    >
    >
    >>Quite frankly, people worried about the MD5 thing are nuts, the likelyhood
    >>that 2 legitimate files exist in any place where it could be an issue is
    >>so ridiculously remote and other issues so much more important that it is
    >>probably not worth the effort devoted to this discussion.

    >
    > No it is not. It is now easy for a crook to have you give you one
    > document, and then produce another with entirely different text but with
    > exactly the same MD5 hash which is what he claims he signed.


    But you said " One cannot create a second file with the same md5 hash as
    a given file." Here you are saying it would be EASY! Get your stories
    straight.



    --



  2. Re: md5 collision

    matt_left_coast writes:

    >Michael Heiming wrote:


    >> In comp.os.linux.security matt_left_coast :
    >>> Unruh wrote:

    >>
    >>>> matt_left_coast writes:
    >>>>
    >>>>>Unruh wrote:
    >>>>
    >>>>>>>When dealing with the first case, you create the first of the two
    >>>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>>second case.
    >>>>>>
    >>>>>> But you have to create them together. You cannot create one and then
    >>>>>> make another which has the same md5.
    >>>>
    >>>>>Exact process, please.
    >>>>
    >>>> Go read the papers.

    >>
    >>> Well, I'll take that as proof you are just bull ****ting, as I thought.

    >>
    >> Please calm down.
    >>
    >> This should give a little more insight:
    >>
    >> http://www.cits.rub.de/MD5Collisions/
    >>
    >> There is heavily math involved, so you can be sure Bill is almost
    >> always right.
    >>


    >If you read it carefully, it also does not say it is IMPOSSIBLE to create a
    >second file. Given enough time and computer power, it could well be done.


    Of course it is not impossible, unless you call something that would take
    more than teh GPD of the entire world for the rest of the lifetime of the
    sun "impossible".

    The point is that at present if I give you a file A which you cannot
    change, then it is very hard (impossible in the above sense) to find a file
    B with the same hash. But it is easy if you are allowed to make minor
    changes to A ( eg add 30 bytes or so to A) to find new files A' and B with
    the same hash. The changes to A need not be in any important area. They
    could be to the end of the file or in some area of the file that is
    irrelevant ( the "junk" areas of a Word file say). Thus the file A' can
    look exactly the same as A, and B can look like a ligitimate file which
    looks different from A.

    >The point is, does it make any difference to create a files in that method?
    >Can they be used for ANYTHING? Like wise, is it worth the effort to make a
    >second file that has the same checksum value. Also, the fact that you can,
    >with a great deal of effort create 2 files that have the same MD5 value,


    No, with not much effort at all.

    >there is nothing that shows that every file can have a second file with the
    >same checksum. Indeed, I see nothing that shows that ANY pre-existing file


    Of course every file cannot have the same checksum.

    >can have a checksum that can be shared with another file. In short it may


    If you allow me to make small changes to the pre-existing file, eg adding a
    few bytes to it, then it is apparently easy to find a second file with the
    same md5 as the altered first file. If you demand that the first file not
    be altered (md5 checksum remain the same) then no it is apparently not easy
    at present.

    >be that only a very few of all the files in the world can even HAVE a
    >second file with the same checksum much less have it be an issue.



    >The evidence I have seen does not show that this is a serious issue at all.






  3. Re: md5 collision

    matt_left_coast wrote:
    > Pat Farrell wrote:
    >> Generally correct. But it costs nothing to use a better hash.
    >> So we need to tell people to just stop using MD5 and use whatever
    >> SHA* that your threat model requires.

    >
    > Oh? So, a company that is makes hevy use of MD5 can cut over with no cost?


    What company in control of its crypto software is still using MD5?
    It has been depricated since the late 1990s.

    If you have no control over the software, then there is no point in
    talking about it. If you have control, and you care about security
    you no longer use MD5 or DES. If you write software that
    can't allow alternative hash and crypto algorithms,
    then you probably also can't handle different message formats.
    So you're screwed anyway.


    --
    Pat



  4. Re: md5 collision

    Unruh wrote:

    > Of course it is not impossible


    But you said it was: " One cannot create a second file with the same md5
    hash as a given file." It is time prohibitive, but IT CAN BE DONE, IF there
    is a possible file format that would have the same sum.
    --



  5. Re: md5 collision

    Pat Farrell wrote:

    > matt_left_coast wrote:
    >> Pat Farrell wrote:
    >>> Generally correct. But it costs nothing to use a better hash.
    >>> So we need to tell people to just stop using MD5 and use whatever
    >>> SHA* that your threat model requires.

    >>
    >> Oh? So, a company that is makes hevy use of MD5 can cut over with no
    >> cost?

    >
    > What company in control of its crypto software is still using MD5?


    Don't know and don't care. It would NOT be free to convert a company that
    does.

    > It has been depricated since the late 1990s.
    >


    So has a lot of other stuff still in use. Go to any Fry's and look at there
    quote system, I'll bet that is pre "late 1990's"!

    > If you have no control over the software, then there is no point in
    > talking about it. If you have control, and you care about security
    > you no longer use MD5 or DES. If you write software that
    > can't allow alternative hash and crypto algorithms,
    > then you probably also can't handle different message formats.
    > So you're screwed anyway.


    There are plenty of screwed companies out there and cutting over would not
    be free. The simple fact are that they could still be using MD5 or DES
    because they did a cost/risk analysis and determined it was not worth the
    cost to convert. Anyone with a clue understands that, what's your problem?



  6. Re: md5 collision

    matt_left_coast wrote:
    > Jan Pompe wrote:
    >
    >
    >>matt_left_coast wrote:
    >>
    >>>Jan Pompe wrote:
    >>>
    >>>
    >>>
    >>>>It seems you are just too stupid to realize it amounts to the same type
    >>>>of rudeness that you have committed and are complaining about in others.
    >>>>
    >>>>In short you are the pot calling the kettle black.
    >>>
    >>>
    >>>Wow, how profound. I know EXACTLY how rude I am being. When confronted
    >>>with someone as stupid as you I will get rude. The thing is, I can be
    >>>nice,

    >>
    >>I doubt it your ego is far too inflated for that.

    >
    >
    > that the best you can do?
    >


    Better is not required!!!!

  7. Re: md5 collision

    Jan Pompe wrote:

    > matt_left_coast wrote:
    >> Jan Pompe wrote:
    >>
    >>
    >>>matt_left_coast wrote:
    >>>
    >>>>Jan Pompe wrote:
    >>>>
    >>>>
    >>>>
    >>>>>It seems you are just too stupid to realize it amounts to the same type
    >>>>>of rudeness that you have committed and are complaining about in
    >>>>>others.
    >>>>>
    >>>>>In short you are the pot calling the kettle black.
    >>>>
    >>>>
    >>>>Wow, how profound. I know EXACTLY how rude I am being. When confronted
    >>>>with someone as stupid as you I will get rude. The thing is, I can be
    >>>>nice,
    >>>
    >>>I doubt it your ego is far too inflated for that.

    >>
    >>
    >> that the best you can do?
    >>

    >
    > Better is not required!!!!


    You are right, it did show you for the unimaginative idiot you are.

    --



  8. Re: md5 collision

    Michael Heiming writes:

    >In comp.os.linux.security matt_left_coast :
    >> Michael Heiming wrote:


    >>> In comp.os.linux.security matt_left_coast :
    >>>> Unruh wrote:
    >>>
    >>>>> matt_left_coast writes:
    >>>>>
    >>>>>>Unruh wrote:
    >>>>>
    >>>>>>>>When dealing with the first case, you create the first of the two
    >>>>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>>>second case.
    >>>>>>>
    >>>>>>> But you have to create them together. You cannot create one and then
    >>>>>>> make another which has the same md5.
    >>>>>
    >>>>>>Exact process, please.
    >>>>>
    >>>>> Go read the papers.
    >>>
    >>>> Well, I'll take that as proof you are just bull ****ting, as I thought.
    >>>
    >>> Please calm down.
    >>>
    >>> This should give a little more insight:
    >>>
    >>> http://www.cits.rub.de/MD5Collisions/
    >>>
    >>> There is heavily math involved, so you can be sure Bill is almost
    >>> always right.
    >>>


    >> If you read it carefully, it also does not say it is IMPOSSIBLE to create a
    >> second file. Given enough time and computer power, it could well be done.


    >You have completely missed the point, in the above example the
    >second file does make sense. Dunno why you make such a trouble
    >out of the matter.


    Just to emphasise this, here is a quote from the article

    "If you cannot exercise control over colliding messages, these collisions
    are theoretically interesting but harmless, right? In the past few weeks,
    we have met quite a few people who thought so.

    With this page, we want to demonstrate how badly wrong this kind of
    reasoning is! We hope to provide convincing evidence even for people
    without much technical or cryptographical background"

    So read that page. Note that the two examples they gave did NOT require
    extensive computation. They were easy.


    The two files differ only in something like 6 bytes in a garbage area that
    is NOT displayed by the postscript interpreter except for the part that
    chooses the first or second block of text to display.


  9. Re: md5 collision

    matt_left_coast writes:

    >Michael Heiming wrote:


    >> In comp.os.linux.security matt_left_coast :
    >>> Michael Heiming wrote:

    >>
    >>>> In comp.os.linux.security matt_left_coast :
    >>>>> Unruh wrote:
    >>>>
    >>>>>> matt_left_coast writes:
    >>>>>>
    >>>>>>>Unruh wrote:
    >>>>>>
    >>>>>>>>>When dealing with the first case, you create the first of the two
    >>>>>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>>>>second case.
    >>>>>>>>
    >>>>>>>> But you have to create them together. You cannot create one and then
    >>>>>>>> make another which has the same md5.
    >>>>>>
    >>>>>>>Exact process, please.
    >>>>>>
    >>>>>> Go read the papers.
    >>>>
    >>>>> Well, I'll take that as proof you are just bull ****ting, as I thought.
    >>>>
    >>>> Please calm down.
    >>>>
    >>>> This should give a little more insight:
    >>>>
    >>>> http://www.cits.rub.de/MD5Collisions/
    >>>>
    >>>> There is heavily math involved, so you can be sure Bill is almost
    >>>> always right.
    >>>>

    >>
    >>> If you read it carefully, it also does not say it is IMPOSSIBLE to create
    >>> a second file. Given enough time and computer power, it could well be
    >>> done.

    >>
    >> You have completely missed the point, in the above example the
    >> second file does make sense. Dunno why you make such a trouble
    >> out of the matter.
    >>
    >> [..]
    >>


    >Show me ONE documented example of this EVER ACTUALLY happening. The fact
    >that someone can write a fable does not mean it is an issue.


    What kind of position is this to take? It is shown that it is easy to spoof
    a letter. Now you want to be shown that it has actually damaged someone.
    DO you have the same reaction to crypto? Use a system that is proven to be
    weak and easily cracked but demand that anyone who points it out to you
    prove that that has led to damages?

    Anyway, you may do what you want. The warning is to the rest of the world
    who have higher standards than you apparently do in what crypto stuff you
    use.



  10. Re: md5 collision

    Unruh wrote:

    > The two files differ only in something like 6 bytes in a garbage area that
    > is NOT displayed by the postscript interpreter except for the part that
    > chooses the first or second block of text to display.


    Then what would be the point? To be able to be effective, it would need to
    substantively change the document is a way that does not look like
    gibberish. In short, if someone wanted to commit fraud with this they would
    have to be able to change something like $60,000 to $6,000 or something
    else subsnative that MAKES SENSE. Since you have already stated that the
    creation of the two files would require RANDOM elements, it is doubtfull
    that this would be effective. It is doubtfull that a random element would
    effect the changes that a criminal would want. Infact, the random evidence
    would really only serve as evidence of this type of "attack" with no real
    way to make the attack effective.

    --



  11. Re: md5 collision

    Unruh wrote:

    > What kind of position is this to take? It is shown that it is easy to
    > spoof a letter.


    A simple look at the differences in the size of the files and you have proof
    of attempted fraud.

    --



  12. Re: md5 collision

    matt_left_coast wrote:



    --
    Pat



  13. Re: md5 collision

    Pat Farrell wrote:

    > matt_left_coast wrote:
    >
    >
    >


    Good, I like it when ignorant a-holes plonk me.

    --



  14. Re: md5 collision

    matt_left_coast wrote:
    > Jan Pompe wrote:
    >
    >
    >>matt_left_coast wrote:
    >>
    >>>Jan Pompe wrote:
    >>>
    >>>
    >>>
    >>>>matt_left_coast wrote:
    >>>>
    >>>>
    >>>>>Jan Pompe wrote:
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>>It seems you are just too stupid to realize it amounts to the same type
    >>>>>>of rudeness that you have committed and are complaining about in
    >>>>>>others.
    >>>>>>
    >>>>>>In short you are the pot calling the kettle black.
    >>>>>
    >>>>>
    >>>>>Wow, how profound. I know EXACTLY how rude I am being. When confronted
    >>>>>with someone as stupid as you I will get rude. The thing is, I can be
    >>>>>nice,
    >>>>
    >>>>I doubt it your ego is far too inflated for that.
    >>>
    >>>
    >>>that the best you can do?
    >>>

    >>
    >>Better is not required!!!!

    >
    >
    > You are right, it did show you for the unimaginative idiot you are.
    >


    Is this the best *you* can do?

  15. Re: md5 collision

    Jan Pompe wrote:

    > matt_left_coast wrote:
    >> Jan Pompe wrote:
    >>
    >>
    >>>matt_left_coast wrote:
    >>>
    >>>>Jan Pompe wrote:
    >>>>
    >>>>
    >>>>
    >>>>>matt_left_coast wrote:
    >>>>>
    >>>>>
    >>>>>>Jan Pompe wrote:
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>>It seems you are just too stupid to realize it amounts to the same
    >>>>>>>type of rudeness that you have committed and are complaining about in
    >>>>>>>others.
    >>>>>>>
    >>>>>>>In short you are the pot calling the kettle black.
    >>>>>>
    >>>>>>
    >>>>>>Wow, how profound. I know EXACTLY how rude I am being. When confronted
    >>>>>>with someone as stupid as you I will get rude. The thing is, I can be
    >>>>>>nice,
    >>>>>
    >>>>>I doubt it your ego is far too inflated for that.
    >>>>
    >>>>
    >>>>that the best you can do?
    >>>>
    >>>
    >>>Better is not required!!!!

    >>
    >>
    >> You are right, it did show you for the unimaginative idiot you are.
    >>

    >
    > Is this the best *you* can do?


    Wow, now all you can do is ape me, just how big a unimaginative retard are
    you?

    Go take your banana and shove it, chimp.

  16. Re: md5 collision

    Pat Farrell wrote:

    > matt_left_coast wrote:
    >
    >
    >


    I see you can't deal with a rational debate. Anyone that disagrees with you
    you plonk them. Good. I Don't need your type of unreasonable BS.

    --



  17. Re: md5 collision

    Unruh wrote:

    > NOt only that but you have to change the first file in order to get the
    > second file to have the same hash. Ie,


    And a check of the file size of the two files would prove fraud. Anyone that
    uses this method documents there fraud. Maybe you would be stupid enough to
    use this method, but I doubt that anyone that has a clue would be so
    stupid. The two files are a smoking gun.

    --



  18. Re: md5 collision

    matt_left_coast writes:

    >Unruh wrote:


    >> matt_left_coast writes:
    >>
    >>>Peter Pearson wrote:

    >>
    >>>> matt_left_coast wrote:
    >>>>
    >>>>> Unruh wrote:
    >>>>>
    >>>>>>>When dealing with the first case, you create the first of the two
    >>>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>>second case.
    >>>>>>
    >>>>>> But you have to create them together. You cannot create one and then
    >>>>>> make another which has the same md5.
    >>>>>
    >>>>> Exact process, please.
    >>>>
    >>>> The logic here escapes me. Unruh appears to be claiming that
    >>>> you cannot do something ("cannot create one and then make
    >>>> another which has the same md5"), and matt_left_coast appears
    >>>> to be asserting that Unruh should support that claim by
    >>>> detailing how to do something. You cannot show that something
    >>>> is impossible by showing how to do something. If
    >>>> matt_left_coast wishes to claim that one can find a preimage
    >>>> to a given hash, it's up to him to specify how.
    >>>>
    >>>> A recent paper on md5 attacks is "Improved Collision Attack on MD5"
    >>>> by Yu Sasaki, Yusuke Naito, Noboru Kunihiro, and Kazuo Ohta,
    >>>> available at http://eprint.iacr.org/2005/400.pdf. The procedure
    >>>> is outlined in section 3.4. While the details are not essential
    >>>> to this discussion, the alert reader will note that the attack
    >>>> does *not* produce a preimage for a given hash, but rather produces
    >>>> a pair of messages whose hashes match. Unruh is quite right.
    >>>>

    >>
    >>>Are the two files useful for ANYTHING? What are you going to do, put up
    >>>one of the files for download and swap it for the other? Yeah, you can
    >>>generate virtually random files that have the same MD5 value but what is
    >>>the use? It is a meaningless exercise in mental masturbation. Other than
    >>>to prove it can be done, what use is it? Can you come up with a truly
    >>>useful "attack" that could be based on this?

    >>
    >> No. The two files can contain some random parts, but that can be hidden in
    >> many file formats. Ie, it is easy to create two different word files which
    >> have some random junk in the file area which is not used by word to create
    >> the text such that the two files have the same md5 hash.
    >>


    >In other words, two meaningless files. There is no reason to do this other
    >than to prove it can be done.


    >>
    >>
    >>>Quite frankly, people worried about the MD5 thing are nuts, the likelyhood
    >>>that 2 legitimate files exist in any place where it could be an issue is
    >>>so ridiculously remote and other issues so much more important that it is
    >>>probably not worth the effort devoted to this discussion.

    >>
    >> No it is not. It is now easy for a crook to have you give you one
    >> document, and then produce another with entirely different text but with
    >> exactly the same MD5 hash which is what he claims he signed.


    >But you said " One cannot create a second file with the same md5 hash as
    >a given file." Here you are saying it would be EASY! Get your stories
    >straight.


    GEt your reading straight. I said you cannot create a second file with the
    same md5 hash as a GIVEN file. What is easy is to create two files with the
    same md5 hash.
    He gives you one, but uses the other.





    >--




  19. Re: md5 collision

    matt_left_coast writes:

    >Unruh wrote:


    >> The two files differ only in something like 6 bytes in a garbage area that
    >> is NOT displayed by the postscript interpreter except for the part that
    >> chooses the first or second block of text to display.


    >Then what would be the point? To be able to be effective, it would need to
    >substantively change the document is a way that does not look like
    >gibberish. In short, if someone wanted to commit fraud with this they would
    >have to be able to change something like $60,000 to $6,000 or something
    >else subsnative that MAKES SENSE. Since you have already stated that the
    >creation of the two files would require RANDOM elements, it is doubtfull
    >that this would be effective. It is doubtfull that a random element would
    >effect the changes that a criminal would want. Infact, the random evidence
    >would really only serve as evidence of this type of "attack" with no real
    >way to make the attack effective.


    Have you looked at those two files? Please do so before you spout off.


    >--




  20. Re: md5 collision

    matt_left_coast wrote:
    > Jan Pompe wrote:
    >
    >
    >>matt_left_coast wrote:
    >>
    >>>Jan Pompe wrote:
    >>>
    >>>
    >>>
    >>>>matt_left_coast wrote:
    >>>>
    >>>>
    >>>>>Jan Pompe wrote:
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>>matt_left_coast wrote:
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>>Jan Pompe wrote:
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>>It seems you are just too stupid to realize it amounts to the same
    >>>>>>>>type of rudeness that you have committed and are complaining about in
    >>>>>>>>others.
    >>>>>>>>
    >>>>>>>>In short you are the pot calling the kettle black.
    >>>>>>>
    >>>>>>>
    >>>>>>>Wow, how profound. I know EXACTLY how rude I am being. When confronted
    >>>>>>>with someone as stupid as you I will get rude. The thing is, I can be
    >>>>>>>nice,
    >>>>>>
    >>>>>>I doubt it your ego is far too inflated for that.
    >>>>>
    >>>>>
    >>>>>that the best you can do?
    >>>>>
    >>>>
    >>>>Better is not required!!!!
    >>>
    >>>
    >>>You are right, it did show you for the unimaginative idiot you are.
    >>>

    >>
    >>Is this the best *you* can do?

    >
    >
    > Wow, now all you can do is ape me, just how big a unimaginative retard are
    > you?
    >
    > Go take your banana and shove it, chimp.


    You call becoming even more uncouth having a good imagination?

    Atually it's rather indicative of a deprived upbringing.

+ Reply to Thread
Page 3 of 4 FirstFirst 1 2 3 4 LastLast