SHA-0 Broken, MD5 Rumored Broken 707
An anonymous reader writes "Exciting advances in breaking hash functions this week at the CRYPTO conference. SHA-0 has
definitely been broken (collision found in the full function). Rumors are that at the informal rump session, a researcher will announce a collision in full MD5 and RIPEMD-128. And Ed Felten is speculating about collisions in SHA-1! Many systems, especially those that use cryptography for digital signatures are most at risk here."
Consequences? (Score:5, Insightful)
privacy (Score:1, Insightful)
Re:Just a Thought . . . (Score:3, Insightful)
It probably isn't a big deal... or is it? (Score:2, Insightful)
Re:Don't the laws of computing make it... (Score:4, Insightful)
The real point... (Score:2, Insightful)
However, if the algorithm is weak enough to allow a collision to be manufactured deterministically, then an attacker can craft a substitute message that returns the same hash. Think appending a junk file to the end of an archive to force the same hash.
Can you see the problem with that?
Re:Umm... (Score:3, Insightful)
Once upon a time, you needed millions of dollars and specialized hardware to crack 56-bit DES. Now it can be done with commodity hardware and a little time. Moore's Law is relentless. Today's TERA NOVA is tomorrow's PDA.
No, No, No! (Score:5, Insightful)
An attacker's goal would be to substitute something else for the original data and make you trust it.
Re:Consequences? (Score:3, Insightful)
Re:Should We Fear? (Score:0, Insightful)
Re:Should We Fear? (Score:1, Insightful)
Because his comment was funny.
Next question?
Re:Umm... (Score:5, Insightful)
Really? I don't think so.
In order to do anything with it it would also have to pass all the other sanity checks.
Use an faked md5 to put out rootkitted
Use md5 to verify logins? Then who cares if someone can generate a message to collide with your password's hash when it's computationally more difficult than regenerating your password.
For the all applications that I've heard md5 being used, I don't think it would be a big deal. But of course I probably am not thinking of some other places md5 is used...
collision != broken (Score:3, Insightful)
Finding a single example of an MD5 collision in 80000 CPU hours is an interesting exercise, but I think we always knew collisions were possible (with any hash function), and I fail to see how this finding reduces the security of MD5 in any practical way.
Mod this legerdemain down (Score:1, Insightful)
Re:Of course! (Score:3, Insightful)
Re:Don't the laws of computing make it... (Score:4, Insightful)
The beauty of the OTP is that it doesn't matter if you guess what the pad is - you can't tell you've got it rigbt.
Given a cyphertext of length 9, there are keys that will decrypt it to read "Kill Bush", "Save Bush", "FuckOsama", "Bomb Iraq", "Love Boat", "qwertyuio", "!@#3fst9$-", and every other 9 character string. Since the OTP is random, all these keys have equal probability of being the correct one.
Re:collision != broken (Score:2, Insightful)
Collision == broken if the research leads to subsequent work which further weakens the algorithm.
Agreed that finding a collision via an exhaustive search is no big whoop, but I don't *think* that is what this rumor is about
Basically, that crack in your foundation *might* be no big deal, but it *might* mean that there's a spring running 6" below the foundation wall and in six months your mansion collapses.
Re:Paradigm Shift long overdue (Score:4, Insightful)
See earlier post about a thought experiment Bruce Schneier carried out that showed 256-bit symmetric encryption (if it had no holes) would be proof against any attack that could be carried out using (using our current knowledge of physics, that is).
Probably not a big deal... (Score:3, Insightful)
The greatest weakness would be in password systems where only hashes are stored. If you could create an arbitrary password that had the same hash as one stored on the system (and there have been attacks on the password generation side, but none successfully on the side of specifically creating a password *based* on a hash), then you can get in.
There may yet be discovered a formula for creating that collision, now that we have discovered one, we can determine if there is a relationship between the two plaintexts that can be exploited if we know either the plaintext, or the hash, and can generate an arbitrary collision.
Document signatures are much less problematic. You would have to create a *sensible* document to replace the hashed document. This is way less likely to occur, to the point that would be attacking by far the strongest link in the chain.
Re:Should We Fear? (Score:5, Insightful)
Actually, you can do interesting and dangerous things with variants of your first step, not even progressing to step two. The MD5 collisions (well, almost collisions) are largely the same input data that has differences in only a few places. Now imagine that I have two messages that say something like this:
If you agree, you sign it. But you realize that digital signatures don't actually sign the message, right? They sign the hash of the message, so I can later produce the $100000 message, with your signature, and it will verify that you signed that message!
Re:md5 is so weak (Score:5, Insightful)
Re:Don't the laws of computing make it... (Score:5, Insightful)
For more fun see Ultimate physical limits to computation [arxiv.org] by Seth Lloyd
Re:Should We Fear? (Score:1, Insightful)
Re:Don't the laws of computing make it... (Score:4, Insightful)
It's the Heisenburg uncertainty principle, and it doesn't rule out computing with individual atoms. It just means that computing with individual atoms will work a lot differently than it does with normal, mostly deterministic electronics. The field of quantum computing is all about exploiting the weird quantum properties of atoms to do even more computation than would be possible if they were completely deterministic little point particles.
breaking BitTorrent (Score:2, Insightful)
Re:Should We Fear? (Score:2, Insightful)
So let's say that for a 160megs file you store an md5 hash for every chunk (1, 2, 10 megs maybe?),
AND THEN you check the global MD5...
or who knows. Just do some math with the hashes themselves. It's not that hard to make an encryption algorithm more secure.
Like they did with DES -> 3DES.
Re:Probably not a big deal... (Score:3, Insightful)
Well, that doesn't have much to do with *collisions* at all.
If you have any method at all (collisions or not) to generate a string from a hash, then you have a problem with password systems... A collision would only be necessary if, for some strang reason, finding the ORIGINAL password isn't good enough, which isn't the case in any password-protected systems I can think of.
Well, if you need to have the plaintext to generate the collision, it's not at all useful for finding hashed values, such as passwords.
Indeed, it would be extremely difficult to exploit a collision, even if you do have a method to find them easily...
Sigh... (Score:5, Insightful)
2. If you can produce a hash identical to a desired hash, you can mostly only sabotage (poison) a transfer.
3. If you can take an existing file and append data to match a hash, you have a total and very dangerous compromise.
From what I can tell, we're at #1. Make it #2, and things will break as people move to a new algorithm, but I doubt there'll be much problems. Now do #3, and I'm worried...
Kjella
Re:Explain ? (Score:4, Insightful)
So I don't know what the news item is here, except as a curiosity ('look we found it' - like finding the next Mersenne prime) or some technique has been found for making hash collisions which is better than brute force. If all they did was brute-force hash lots of files until finding two with the same MD5sum or whatever, it's obvious they were going to find a collision eventually.
Re:Umm... (Score:5, Insightful)
The important issue starts when you use PGP to sign your message.
Suppose you sign:
mybank: Please transfer $100 to my son's account: 12345678 ref: Have a nice vacation!
then your PGP program will calculate the MD5 sum of this message and sign that using RSA (or DSA). As all know those algorithms are very very strong.
Next, the attacker will change your message to:
mybank: Please transfer $1000,000 to J. Crook account 87654321 Ref: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
and when the crook can then adjust the XXX part in such a way that an MD5 has collision occurs.... You just authorized your bank to do something you may not have wanted....
There should be about 28 X's in there. That will allow the crook over 2^160 possible messages. Trying them all, there is a high probability that at least one of them has a hash collision with your signed original message. If calculating which one of the possible over 2^160 messages has the "right" MD5sum, costs significantly less than 2^160 operations, then that's considered breaking the hash....
Re:Should We Fear? (Score:3, Insightful)
I don't know about other public-key algorithms, but with RSA, the numeric value of your message must be less than the modulus. So if you want to directly sign a 100 MB file with a 2048-bit RSA key, you have to split the 100 MB file into at least 390625 separate messages, and sign them individually. Even then, you run into problems with people re-ordering your messages, so you'd have to insert some sort of sequence-numbered header into each sub-message to prevent that.
With that many signatures and a predetermined header format, you start giving out an awful lot of data to perform known ciphertext attacks on.