md5 collision - Security

This is a discussion on md5 collision - Security ; Jan Pompe wrote: > matt_left_coast wrote: >> Jan Pompe wrote: >> >> >>>matt_left_coast wrote: >>> >>>>Jan Pompe wrote: >>>> >>>> >>>> >>>>>matt_left_coast wrote: >>>>> >>>>> >>>>>>Jan Pompe wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>matt_left_coast wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>>Jan Pompe wrote: ...

+ Reply to Thread
Page 4 of 4 FirstFirst ... 2 3 4
Results 61 to 77 of 77

Thread: md5 collision

  1. Re: md5 collision

    Jan Pompe wrote:

    > matt_left_coast wrote:
    >> Jan Pompe wrote:
    >>
    >>
    >>>matt_left_coast wrote:
    >>>
    >>>>Jan Pompe wrote:
    >>>>
    >>>>
    >>>>
    >>>>>matt_left_coast wrote:
    >>>>>
    >>>>>
    >>>>>>Jan Pompe wrote:
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>>matt_left_coast wrote:
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>>Jan Pompe wrote:
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>>It seems you are just too stupid to realize it amounts to the same
    >>>>>>>>>type of rudeness that you have committed and are complaining about
    >>>>>>>>>in others.
    >>>>>>>>>
    >>>>>>>>>In short you are the pot calling the kettle black.
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>Wow, how profound. I know EXACTLY how rude I am being. When
    >>>>>>>>confronted with someone as stupid as you I will get rude. The thing
    >>>>>>>>is, I can be nice,
    >>>>>>>
    >>>>>>>I doubt it your ego is far too inflated for that.
    >>>>>>
    >>>>>>
    >>>>>>that the best you can do?
    >>>>>>
    >>>>>
    >>>>>Better is not required!!!!
    >>>>
    >>>>
    >>>>You are right, it did show you for the unimaginative idiot you are.
    >>>>
    >>>
    >>>Is this the best *you* can do?

    >>
    >>
    >> Wow, now all you can do is ape me, just how big a unimaginative retard
    >> are you?
    >>
    >> Go take your banana and shove it, chimp.

    >
    > You call becoming even more uncouth having a good imagination?


    No, that is why I say you lack imagination, you are becoming more uncouth. I
    mean how uncouth, aping someone because you are too stupid to think of
    something intelligent to say!

    >
    > Atually it's rather indicative of a deprived upbringing.


    Yes, I am sure you lack of imagination, lack of intelligence, inability to
    understand basic concepts is indeed indicative of your deprived upbringing.

    --



  2. Re: md5 collision

    Unruh wrote:

    > matt_left_coast writes:
    >
    >>Unruh wrote:

    >
    >>> The two files differ only in something like 6 bytes in a garbage area
    >>> that is NOT displayed by the postscript interpreter except for the part
    >>> that chooses the first or second block of text to display.

    >
    >>Then what would be the point? To be able to be effective, it would need to
    >>substantively change the document is a way that does not look like
    >>gibberish. In short, if someone wanted to commit fraud with this they
    >>would have to be able to change something like $60,000 to $6,000 or
    >>something else subsnative that MAKES SENSE. Since you have already stated
    >>that the creation of the two files would require RANDOM elements, it is
    >>doubtfull that this would be effective. It is doubtfull that a random
    >>element would effect the changes that a criminal would want. Infact, the
    >>random evidence would really only serve as evidence of this type of
    >>"attack" with no real way to make the attack effective.

    >
    > Have you looked at those two files? Please do so before you spout off.
    >


    Yes, there IS differences between the two that prove fraud. You have TWO
    signed files that say two different things, proof of fraud. It would be the
    same if I did it on paper.

    --



  3. Re: md5 collision

    Unruh wrote:

    > matt_left_coast writes:
    >
    >>Unruh wrote:

    >
    >>> matt_left_coast writes:
    >>>
    >>>>Peter Pearson wrote:
    >>>
    >>>>> matt_left_coast wrote:
    >>>>>
    >>>>>> Unruh wrote:
    >>>>>>
    >>>>>>>>When dealing with the first case, you create the first of the two
    >>>>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>>>second case.
    >>>>>>>
    >>>>>>> But you have to create them together. You cannot create one and then
    >>>>>>> make another which has the same md5.
    >>>>>>
    >>>>>> Exact process, please.
    >>>>>
    >>>>> The logic here escapes me. Unruh appears to be claiming that
    >>>>> you cannot do something ("cannot create one and then make
    >>>>> another which has the same md5"), and matt_left_coast appears
    >>>>> to be asserting that Unruh should support that claim by
    >>>>> detailing how to do something. You cannot show that something
    >>>>> is impossible by showing how to do something. If
    >>>>> matt_left_coast wishes to claim that one can find a preimage
    >>>>> to a given hash, it's up to him to specify how.
    >>>>>
    >>>>> A recent paper on md5 attacks is "Improved Collision Attack on MD5"
    >>>>> by Yu Sasaki, Yusuke Naito, Noboru Kunihiro, and Kazuo Ohta,
    >>>>> available at http://eprint.iacr.org/2005/400.pdf. The procedure
    >>>>> is outlined in section 3.4. While the details are not essential
    >>>>> to this discussion, the alert reader will note that the attack
    >>>>> does *not* produce a preimage for a given hash, but rather produces
    >>>>> a pair of messages whose hashes match. Unruh is quite right.
    >>>>>
    >>>
    >>>>Are the two files useful for ANYTHING? What are you going to do, put up
    >>>>one of the files for download and swap it for the other? Yeah, you can
    >>>>generate virtually random files that have the same MD5 value but what is
    >>>>the use? It is a meaningless exercise in mental masturbation. Other than
    >>>>to prove it can be done, what use is it? Can you come up with a truly
    >>>>useful "attack" that could be based on this?
    >>>
    >>> No. The two files can contain some random parts, but that can be hidden
    >>> in many file formats. Ie, it is easy to create two different word files
    >>> which have some random junk in the file area which is not used by word
    >>> to create the text such that the two files have the same md5 hash.
    >>>

    >
    >>In other words, two meaningless files. There is no reason to do this other
    >>than to prove it can be done.

    >
    >>>
    >>>
    >>>>Quite frankly, people worried about the MD5 thing are nuts, the
    >>>>likelyhood that 2 legitimate files exist in any place where it could be
    >>>>an issue is so ridiculously remote and other issues so much more
    >>>>important that it is probably not worth the effort devoted to this
    >>>>discussion.
    >>>
    >>> No it is not. It is now easy for a crook to have you give you one
    >>> document, and then produce another with entirely different text but with
    >>> exactly the same MD5 hash which is what he claims he signed.

    >
    >>But you said " One cannot create a second file with the same md5 hash as
    >>a given file." Here you are saying it would be EASY! Get your stories
    >>straight.

    >
    > GEt your reading straight. I said you cannot create a second file with the
    > same md5 hash as a GIVEN file. What is easy is to create two files with
    > the same md5 hash.
    > He gives you one, but uses the other.


    Nope, you stated that he gives me the file "and then produce another".
    Re-read what you said. The way you wrote it he produces the second file
    AFTER he gave me the first. Get your facts straight.


    A comparison of the two prove fraud, not smart.

    --



  4. Re: md5 collision

    In comp.os.linux.security Unruh :
    > Michael Heiming writes:


    >>In comp.os.linux.security matt_left_coast :
    >>> Michael Heiming wrote:


    >>>> In comp.os.linux.security matt_left_coast :
    >>>>> Unruh wrote:
    >>>>
    >>>>>> matt_left_coast writes:
    >>>>>>
    >>>>>>>Unruh wrote:
    >>>>>>
    >>>>>>>>>When dealing with the first case, you create the first of the two
    >>>>>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>>>>second case.
    >>>>>>>>
    >>>>>>>> But you have to create them together. You cannot create one and then
    >>>>>>>> make another which has the same md5.
    >>>>>>
    >>>>>>>Exact process, please.
    >>>>>>
    >>>>>> Go read the papers.
    >>>>
    >>>>> Well, I'll take that as proof you are just bull ****ting, as I thought.
    >>>>
    >>>> Please calm down.
    >>>>
    >>>> This should give a little more insight:
    >>>>
    >>>> http://www.cits.rub.de/MD5Collisions/
    >>>>
    >>>> There is heavily math involved, so you can be sure Bill is almost
    >>>> always right.
    >>>>


    >>> If you read it carefully, it also does not say it is IMPOSSIBLE to create a
    >>> second file. Given enough time and computer power, it could well be done.


    >>You have completely missed the point, in the above example the
    >>second file does make sense. Dunno why you make such a trouble
    >>out of the matter.


    > Just to emphasise this, here is a quote from the article


    > "If you cannot exercise control over colliding messages, these collisions
    > are theoretically interesting but harmless, right? In the past few weeks,
    > we have met quite a few people who thought so.


    > With this page, we want to demonstrate how badly wrong this kind of
    > reasoning is! We hope to provide convincing evidence even for people
    > without much technical or cryptographical background"


    > So read that page. Note that the two examples they gave did NOT require
    > extensive computation. They were easy.


    > The two files differ only in something like 6 bytes in a garbage area that
    > is NOT displayed by the postscript interpreter except for the part that
    > chooses the first or second block of text to display.


    Exactly, thought this article found in 2 seconds thx to google
    would point out what you were talking about, hopefully it does to
    others reading the article. I have given up already about
    "matt_left_coast" in this thread, for what ever reason he insists
    on his flawed logic.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 249: Unfortunately we have run out of
    bits/bytes/whatever. Don't worry, the next supply will be

  5. Re: md5 collision

    matt_left_coast writes:

    >Unruh wrote:


    >> matt_left_coast writes:
    >>
    >>>Unruh wrote:

    >>
    >>>> The two files differ only in something like 6 bytes in a garbage area
    >>>> that is NOT displayed by the postscript interpreter except for the part
    >>>> that chooses the first or second block of text to display.

    >>
    >>>Then what would be the point? To be able to be effective, it would need to
    >>>substantively change the document is a way that does not look like
    >>>gibberish. In short, if someone wanted to commit fraud with this they
    >>>would have to be able to change something like $60,000 to $6,000 or
    >>>something else subsnative that MAKES SENSE. Since you have already stated
    >>>that the creation of the two files would require RANDOM elements, it is
    >>>doubtfull that this would be effective. It is doubtfull that a random
    >>>element would effect the changes that a criminal would want. Infact, the
    >>>random evidence would really only serve as evidence of this type of
    >>>"attack" with no real way to make the attack effective.

    >>
    >> Have you looked at those two files? Please do so before you spout off.
    >>


    >Yes, there IS differences between the two that prove fraud. You have TWO
    >signed files that say two different things, proof of fraud. It would be the
    >same if I did it on paper.


    Great we are getting somewhere. Yes, it might be fraud. But it is precisely
    fraud that digital signatures were to protect against. Using the law after
    the fact to punish fraud is a far far different thing than preventing it
    beforehand. People have and do rely on the inability to fake a digital
    signature for proof of validity of signatures.

    Besides who is ever going to see the original. Alice got Julius to sign it,
    then applied the signature to the second one and destroyed teh first one.
    Where is the proof of fraud?

    Just as someone who got someone to sign paper twice would be an idiot to keep the
    original. And here Alice can get the signature without ever having Julius
    see the second signed file unlike on paper.

    So, you now admit that the MD5 break CAN be used to do something, can be
    used to commit fraud, can be "effective". In the quote you kindly kept from
    before you stated that
    " Then what would be the point? To be able to be effective, it would need to
    >>>substantively change the document is a way that does not look like
    >>>gibberish."

    Before you claimed that there was nothing that could
    be done with it, it was useless. Now it can be used to commit fraud. Or is
    fraud "nothing"?

    So, to recapitulate, the current attack against MD5 can be effective, can
    be used to commit fraud. As such it is dangerous and MD5 should NOT be used
    in any signature scheme. It cannot at present be used to copy the signature
    from a preexisting document, but it can be used to create two documents
    such that signing one is also signing the other, the other possibly being
    radically and meaningfully different from the first. And the "random element" needed to do
    so can be hidden in the file in such a way that it is not displayed under
    normal use of the file.

    Given BOTH signed files, the difference can be discovered, but rarely will
    anyone except the perpetrator have both copies to compare. The random
    element will just seem like some meaningless inconsequential junk included
    in the file, and since many word processor programs leave meaningless
    inconsequential junk in the file anyway, this will cause no suspicion even
    to the suspicious.


  6. Re: md5 collision

    Michael Heiming wrote:

    > I have given up already about
    > "matt_left_coast" in this thread, for what ever reason he insists
    > on his flawed logic.



    Glad you gave up on me. The reason my logic is flawed is because I don't
    that this as the serious threat the panic stricken here seem to think it
    is. If the files must be created at the same time, then ONLY the signer
    could have created the files. If he ever tries to use the two different
    files then the signature proves that HE is the creator of the two files,
    proving that they are being deceitful. If someone tries to send me a file
    created this way, then tries to use a the other file to try to claim he
    said something different, the signatures would prove that only he could
    have created the two different files and that he is committing fraud. It
    would seem totally idiotic that ANYONE would want to use this method to
    commit fraud since it clearly ID's the person committing the fraud. There
    would be no question as to who, and no question as to if it were deliberate
    or not. The moment the person tries to use the second file, you have your
    smoking gun. Truthfully, After reading everything presented here, I would
    still trust files with MD5 over a paper letter with someone's signature on
    it. From what is presented here, it is still obvious that it would be far
    more difficult for someone else to forge an MD5 signature than it would be
    to forge a written signature.


    --



  7. Re: md5 collision

    Unruh wrote:

    > Great we are getting somewhere. Yes, it might be fraud. But it is
    > precisely fraud that digital signatures were to protect against.


    It still does.
    --



  8. Re: md5 collision

    matt_left_coast writes:

    >Unruh wrote:


    >> matt_left_coast writes:
    >>
    >>>Unruh wrote:

    >>
    >>>> matt_left_coast writes:
    >>>>
    >>>>>Peter Pearson wrote:
    >>>>
    >>>>>> matt_left_coast wrote:
    >>>>>>
    >>>>>>> Unruh wrote:
    >>>>>>>
    >>>>>>>>>When dealing with the first case, you create the first of the two
    >>>>>>>>>files, then the file IS known. Then you would be dealing with the
    >>>>>>>>>second case.
    >>>>>>>>
    >>>>>>>> But you have to create them together. You cannot create one and then
    >>>>>>>> make another which has the same md5.
    >>>>>>>
    >>>>>>> Exact process, please.
    >>>>>>
    >>>>>> The logic here escapes me. Unruh appears to be claiming that
    >>>>>> you cannot do something ("cannot create one and then make
    >>>>>> another which has the same md5"), and matt_left_coast appears
    >>>>>> to be asserting that Unruh should support that claim by
    >>>>>> detailing how to do something. You cannot show that something
    >>>>>> is impossible by showing how to do something. If
    >>>>>> matt_left_coast wishes to claim that one can find a preimage
    >>>>>> to a given hash, it's up to him to specify how.
    >>>>>>
    >>>>>> A recent paper on md5 attacks is "Improved Collision Attack on MD5"
    >>>>>> by Yu Sasaki, Yusuke Naito, Noboru Kunihiro, and Kazuo Ohta,
    >>>>>> available at http://eprint.iacr.org/2005/400.pdf. The procedure
    >>>>>> is outlined in section 3.4. While the details are not essential
    >>>>>> to this discussion, the alert reader will note that the attack
    >>>>>> does *not* produce a preimage for a given hash, but rather produces
    >>>>>> a pair of messages whose hashes match. Unruh is quite right.
    >>>>>>
    >>>>
    >>>>>Are the two files useful for ANYTHING? What are you going to do, put up
    >>>>>one of the files for download and swap it for the other? Yeah, you can
    >>>>>generate virtually random files that have the same MD5 value but what is
    >>>>>the use? It is a meaningless exercise in mental masturbation. Other than
    >>>>>to prove it can be done, what use is it? Can you come up with a truly
    >>>>>useful "attack" that could be based on this?
    >>>>
    >>>> No. The two files can contain some random parts, but that can be hidden
    >>>> in many file formats. Ie, it is easy to create two different word files
    >>>> which have some random junk in the file area which is not used by word
    >>>> to create the text such that the two files have the same md5 hash.
    >>>>

    >>
    >>>In other words, two meaningless files. There is no reason to do this other
    >>>than to prove it can be done.

    >>
    >>>>
    >>>>
    >>>>>Quite frankly, people worried about the MD5 thing are nuts, the
    >>>>>likelyhood that 2 legitimate files exist in any place where it could be
    >>>>>an issue is so ridiculously remote and other issues so much more
    >>>>>important that it is probably not worth the effort devoted to this
    >>>>>discussion.
    >>>>
    >>>> No it is not. It is now easy for a crook to have you give you one
    >>>> document, and then produce another with entirely different text but with
    >>>> exactly the same MD5 hash which is what he claims he signed.

    >>
    >>>But you said " One cannot create a second file with the same md5 hash as
    >>>a given file." Here you are saying it would be EASY! Get your stories
    >>>straight.

    >>
    >> GEt your reading straight. I said you cannot create a second file with the
    >> same md5 hash as a GIVEN file. What is easy is to create two files with
    >> the same md5 hash.
    >> He gives you one, but uses the other.


    >Nope, you stated that he gives me the file "and then produce another".
    >Re-read what you said. The way you wrote it he produces the second file
    >AFTER he gave me the first. Get your facts straight.


    What I had said three times before and assumed that your attention span was
    long enough to remember was that those two were prepared AT THE SAME TIME.
    Yes, he "produced", made manifest, brought to light, used, the other AFTER
    the first had been signed. Of course he would not give you both at the same
    time. I assume a fraud artist has at least a minimal level of competence,
    unlike some netnews posters.




    >A comparison of the two prove fraud, not smart.


    >--




  9. Re: md5 collision

    matt_left_coast writes:

    >Michael Heiming wrote:


    >> I have given up already about
    >> "matt_left_coast" in this thread, for what ever reason he insists
    >> on his flawed logic.



    >Glad you gave up on me. The reason my logic is flawed is because I don't
    >that this as the serious threat the panic stricken here seem to think it
    >is. If the files must be created at the same time, then ONLY the signer
    >could have created the files. If he ever tries to use the two different


    Lets see, you claimed to have read that web page. Either you did not read
    it or your English reading skills really really need work.
    No CEO like Julius Caesar writes his own files. Alice comes to him with the
    file and says, here is a letter which expresses what we discussed. Could
    you pls digitally sign it. He does. He has thus ALSO signed the other
    letter.
    If the recipients think that he created it, so much the better.


    >files then the signature proves that HE is the creator of the two files,
    >proving that they are being deceitful. If someone tries to send me a file
    >created this way, then tries to use a the other file to try to claim he
    >said something different, the signatures would prove that only he could
    >have created the two different files and that he is committing fraud. It
    >would seem totally idiotic that ANYONE would want to use this method to
    >commit fraud since it clearly ID's the person committing the fraud. There


    Again go back and read that page. Alice gets Ceasar to sign one file. She
    uses the other file, for which Caesar's sigmature also fits, to accomplish
    her purposes.


    >would be no question as to who, and no question as to if it were deliberate
    >or not. The moment the person tries to use the second file, you have your
    >smoking gun. Truthfully, After reading everything presented here, I would


    What good are smoking guns long after the deed is finished? You have a
    strange idea of how con artists operate, thinking they stick around to have
    people catch on to what he did.

    Also I thought you said that this break in MD% was inefffective and useless
    and could not be used for any fraudulent purposes?


    >still trust files with MD5 over a paper letter with someone's signature on
    >it. From what is presented here, it is still obvious that it would be far
    >more difficult for someone else to forge an MD5 signature than it would be
    >to forge a written signature.


    Again, no, this scenario is trivially easy. Far far easier than to forge a
    written signature. Start the program, let it run an hour and you have your
    two files containing whatever you like. Now persuade the patsy to sign one
    of them, but that is always the problem in these con games. And a good fraud
    artist is very very good at that part.

    No need now to try to copy the signature or practicing long hours to
    perfect the signature.

    In fact you can make it part of your next Nigerian scam scheme. "You have
    just won 32 million dollars. Please sign this letter (digitally since this
    is email) accepting this prize."

    In fact it might well have already happened.




  10. Re: md5 collision

    matt_left_coast wrote:

    > Pat Farrell wrote:
    >
    >> matt_left_coast wrote:
    >>
    >>
    >>

    >
    > Good, I like it when ignorant a-holes plonk me.
    >
    > --

    Pat Farrell, ignorant? His name definitely comes up now and again in the
    security field. I think I first ran across him because at one time he had a
    great list of crypto links on a George Mason server. Probably years ago.
    And that reference probably came from Ron Rivest's links page. That GMU
    bookmark gets me a 404 now, alas. I'd wager Pat Farrell has a *lot* of
    experience in the field.

    Arguing with Bill Unruh may not be too smart either. I didn't realize Unruh
    was *Bill* Unruh until Michael Heiming's post above. I'm an astronomy and
    physics fan, and that's how I first knew of Bill Unruh. Personally, I'd
    tend to be very certain of my facts (and you are dead-bang wrong with
    pretty much everything you've said) before I argued with an astrophysicist,
    member of the Royal Society, etc., *who has done the math*.

    I've seen posts from 'Unruh' in lots of places on Usenet. Somehow, I never
    made that connection. Astonishing.

    Anyway, I'd suggest you read the references, google around for hash
    colllision references, which will be all over the place since source was
    released recently, and surrender gracefully.

    Cheers,
    Greg
    --
    Greg Mecalfe
    GPG fingerprint: 95B3 2BDD 9152 1E7D A240 37C1 7AE2 9B71 0065 F029

  11. Re: md5 collision

    Unruh wrote:

    > matt_left_coast writes:
    >
    >>Michael Heiming wrote:

    >
    >>> I have given up already about
    >>> "matt_left_coast" in this thread, for what ever reason he insists
    >>> on his flawed logic.

    >
    >
    >>Glad you gave up on me. The reason my logic is flawed is because I don't
    >>that this as the serious threat the panic stricken here seem to think it
    >>is. If the files must be created at the same time, then ONLY the signer
    >>could have created the files. If he ever tries to use the two different

    >
    > Lets see, you claimed to have read that web page. Either you did not read
    > it or your English reading skills really really need work.
    > No CEO like Julius Caesar writes his own files. Alice comes to him with
    > the file and says, here is a letter which expresses what we discussed.
    > Could you pls digitally sign it. He does. He has thus ALSO signed the
    > other letter.
    > If the recipients think that he created it, so much the better.


    When I call Julius about a detail in the file, Alice is fired. No, Alice
    would be a fool.

    >
    >
    >>files then the signature proves that HE is the creator of the two files,
    >>proving that they are being deceitful. If someone tries to send me a file
    >>created this way, then tries to use a the other file to try to claim he
    >>said something different, the signatures would prove that only he could
    >>have created the two different files and that he is committing fraud. It
    >>would seem totally idiotic that ANYONE would want to use this method to
    >>commit fraud since it clearly ID's the person committing the fraud. There

    >
    > Again go back and read that page. Alice gets Ceasar to sign one file. She
    > uses the other file, for which Caesar's sigmature also fits, to accomplish
    > her purposes.
    >


    And Alice gets fired. Alice would be better off forging signatures. If
    Julius is prudent and saves the original file sighed, Alice is cooked.

    How would that work, Alice sends the file via Email to Julius (she would not
    had carry the file in) Julius signs the file and sends it back to Alice.
    The original file is still in the sent files. Alice could not delete the
    evidence that would convict her and see is cooked.

    >
    >>would be no question as to who, and no question as to if it were
    >>deliberate or not. The moment the person tries to use the second file, you
    >>have your smoking gun. Truthfully, After reading everything presented
    >>here, I would

    >
    > What good are smoking guns long after the deed is finished?


    Catch, convict and sue the perpetrator. The risk of being caught and the
    iron clad nature of the evidenced works as a deterrent. Anyone other than
    someone as stupid as you would know that there are far easier and less
    risky ways of committing fraud.

    > You have a
    > strange idea of how con artists operate, thinking they stick around to
    > have people catch on to what he did.
    >
    > Also I thought you said that this break in MD% was inefffective and
    > useless and could not be used for any fraudulent purposes?


    I would trust it more than a paper with a signature on it. Alice could have
    forged the signature without Julius ever seeing the paper!

    >
    >
    >>still trust files with MD5 over a paper letter with someone's signature on
    >>it. From what is presented here, it is still obvious that it would be far
    >>more difficult for someone else to forge an MD5 signature than it would be
    >>to forge a written signature.

    >
    > Again, no, this scenario is trivially easy. Far far easier than to forge a
    > written signature.


    But you risk the evidence being saved. Julius MUST sign the file, he could
    then save the file. Then there would be solid proof that Alice committed
    fraud. If Alice forged the signature, Julius need never see the paper and
    has no chance to save the original. It would be far harder to prove fraud
    with a paper signature. Alice would be a fool to try it with MD5.

    > Start the program, let it run an hour and you have
    > your two files containing whatever you like. Now persuade the patsy to
    > sign one of them, but that is always the problem in these con games.


    You know, another easy way to avoid this would be to ask for a file only
    signed by Julius, the patsy is out of the picture.

    > And a
    > good fraud artist is very very good at that part.


    But if I don't know who the patsy is, I don't accept the file. Never mind
    that the fraud artest would need to allow the signer to sign, giving the
    signer a chance to save the file that could convict the fraud artist. No
    good fraud artist would even allow the chance that someone can save the
    evidence of his fraud.

    >
    > No need now to try to copy the signature or practicing long hours to
    > perfect the signature.


    Use the signature machine that all CEO's have, job done. No convincing a
    patsy, not chance that proof is saved anywhere. Alice's signature is
    nowhere to be seen... Sorry, the signature machine is a much better, safer
    option. Alice would have to be a total moron to create an incriminating
    file that has her signature on it that Julius could possibly save, con
    Julius into signing it then sending out the file with HER signature on it
    rather than just run a single page though a signature machine.

    >
    > In fact you can make it part of your next Nigerian scam scheme. "You have
    > just won 32 million dollars. Please sign this letter (digitally since this
    > is email) accepting this prize."
    >
    > In fact it might well have already happened.


    The fact is, the file would need Alice's signature on it. No good fraud
    artist would EVER sign the proof of their fraud.

    --



  12. Re: md5 collision

    Unruh wrote:

    > What I had said three times before and assumed that your attention span
    > was long enough to remember was that those two were prepared AT THE SAME
    > TIME. Yes, he "produced", made manifest, brought to light, used, the other
    > AFTER the first had been signed. Of course he would not give you both at
    > the same
    > time. I assume a fraud artist has at least a minimal level of competence,
    > unlike some netnews posters.
    >
    >


    So, he creates one file that says he will pay me $9,000 and another one that
    says he will pay me $900. They are both signed with the same MD5 and he
    sends me the message where he commits to pay me $9,000. I now have a copy
    of that signed commitment. Now, he wants to claim that he committed to
    paying only $900, what is he going to do, produce the second file as proof?
    Are you that stupid? If he tries to use the second file he is busted with
    solid proof. Do you really think anyone smart enough to create the files
    would be stupid enough to actually use the second file?


    --



  13. Re: md5 collision

    Greg Metcalfe wrote:

    > matt_left_coast wrote:
    >
    >> Pat Farrell wrote:
    >>
    >>> matt_left_coast wrote:
    >>>
    >>>
    >>>

    >>
    >> Good, I like it when ignorant a-holes plonk me.
    >>
    >> --

    > Pat Farrell, ignorant? His name definitely comes up now and again in the
    > security field. I think I first ran across him because at one time he had
    > a great list of crypto links on a George Mason server. Probably years ago.
    > And that reference probably came from Ron Rivest's links page. That GMU
    > bookmark gets me a 404 now, alas. I'd wager Pat Farrell has a *lot* of
    > experience in the field.


    If you read the post that he replied to with his plonk message, you will see
    that I made valid replies to his points. Anyone that plonks valid replies
    is an ignorant SOB in my book.

    >
    > Arguing with Bill Unruh may not be too smart either. I didn't realize
    > Unruh was *Bill* Unruh until Michael Heiming's post above. I'm an
    > astronomy and physics fan, and that's how I first knew of Bill Unruh.
    > Personally, I'd tend to be very certain of my facts (and you are dead-bang
    > wrong with pretty much everything you've said) before I argued with an
    > astrophysicist, member of the Royal Society, etc., *who has done the
    > math*.


    The only thing I have been wrong in is the creation of the two files. Bill
    Unruh has also admitted that he was wrong as on parts of the issue as well.

    Yes, Bill has done the math but he has failed to show a true, reasonable
    exploitation of the method that does not point right back to the person
    doing the exploit. He knows the algorithm but to USE the exploit, is a
    different issue.

    >
    > I've seen posts from 'Unruh' in lots of places on Usenet. Somehow, I never
    > made that connection. Astonishing.
    >
    > Anyway, I'd suggest you read the references, google around for hash
    > colllision references, which will be all over the place since source was
    > released recently, and surrender gracefully.
    >
    > Cheers,
    > Greg


    I now agree that the files can be made, but what good are they? To use them
    you have to sign them, once you sign them then you create a "paper" trail
    right back to your door. Only and idiot would do that.

    --



  14. Re: md5 collision

    Unruh wrote:

    > Great we are getting somewhere. Yes, it might be fraud. But it is
    > precisely fraud that digital signatures were to protect against. Using the
    > law after the fact to punish fraud is a far far different thing than
    > preventing it beforehand. People have and do rely on the inability to fake
    > a digital signature for proof of validity of signatures.


    The fact that it does so clearly identify who is committing the fraud would
    still deter anyone but a total idiot.

    --



  15. Re: md5 collision

    Pat Farrell wrote:
    > Peter Pearson wrote:
    >> The nature of the mushing, however, is very similar:
    >> a dataflow diagram of MD5 looks very much like a dataflow
    >> diagram of SHA.

    >
    > Sure, they are both basically feisel ciphers.
    >
    > Lots of ciphers are feisel ciphers, a dataflow diagram
    > doesn't show much. Take clear text, smush it some, end up
    > with weird garbage looking stuff.
    >
    > Idea, AES, DES, lets look like that.


    The word is "Feistel", named after Horst Feistel, who
    worked for IBM. Neither Idea nor AES is a Feistel cipher.

    The reader taking the trouble to inspect the diagrams at
    http://en.wikipedia.org/wiki/SHA-1 and
    http://en.wikipedia.org/wiki/MD5
    will easily recognize the family resemblance between MD5
    and SHA-1.

    >> Since SHA-1 appeared to be a very robust design, but has
    >> recently been found to be weak, the crypto community is
    >> perplexed by the realization that we don't know much about
    >> designing hash functions.

    >
    > Found to have a flaw is not the same as "weak"
    > Which do you mean?


    I mean that because their designs do no prevent attacks like
    that of Xiaoyun Wang, these hash functions permit the construction
    of pairs of colliding inputs with work less than the 2^(N/2)
    expected for an N-bit hash function.

    > At some level, all crypto is voodoo.


    To butcher my favorite Ayn Rand quotation, "At some
    level," beef stroganoff is made from sawdust and gasoline.
    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net


  16. Re: md5 collision

    Unruh wrote:

    > Now, it is not as inoccuous as it sounds. Since you can also take two
    > given files and all stuff to the end of them such that the two ammended
    > files have the same md5. thus one could say "I agree to pay you $10 $ and
    > the other "I agree to pay you $1000" afterwards, the two read
    >
    > "I agree to pay you $10
    >
    >
    >
    > ^&^^%KJSH*(*"
    >
    > and the other reads
    >
    > "I agree to pay you $1000
    >
    >
    > NLK<>&*(^&)(*P> > "
    > and that junk could be hidden in the huge amount to junk that Word for
    > example stores in the file.


    Perhaps a more threatening scenario involves public-key
    certificates. Lenstra, Wang, and de Weger have demonstrated
    (http://www.win.tue.nl/~bdeweger/CollidingCertificates/)
    the ability to generate a pair of valid X.509 certificates
    whose MD5-based signatures are identical. The threat here is
    that you can generate a hash-colliding pair of certificates
    one of which binds your public key to the domain
    numberhobbies.org while the other binds your public key
    to citibank.com. You then get a certificate authority
    like Verisign to sign your numberhobbies.org certificate,
    and use that same signature to give your fake citibank.com
    phishing website absolutely impeccable credentials.

    Unlike the "I agree to pay" scam, this scam doesn't lead to
    anybody's seeing both certificates at once, and so doesn't draw
    attention to the existence of a hash collision. And since
    certificate checking is generally done by software (e.g.,
    your browser), suspicious-looking variability in, for
    example, the address field would seldom be noticed.

    AFAIK, nobody has overcome all the practical obstacles to
    mounting such a scam.

    Similar scams might be mounted against digital-signature
    certification of software downloads.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net


  17. Re: Um... (was md5 collision)

    Laboring through this thread, a couple things occurred to me.

    First, and (sorry) superficially, it is surprising how willing some bright
    folks are to spar with rather foolish ones.

    The substantive part of this discussion illustrates, among other things,
    the importance of digital signatures being applied carefully. It seems it
    is much safer, for example, to sign a plain text file than a Word
    document. Making sure that the signature is applied to exactly the
    information intended, and nothing more (like proprietary formatting
    foo-fah), can only help minimize vulnerability to whatever algorithmic
    weaknesses might exist.

    I knew my preference for vi and plain old text over all the WYSIWYG
    eye-candy generators went beyond mere crotchetiness.

    --skip--
    --
    Sent via PINE: Power Internet News & Email


+ Reply to Thread
Page 4 of 4 FirstFirst ... 2 3 4