From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 10:29:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19F2D16A4CE for ; Thu, 19 Aug 2004 10:29:10 +0000 (GMT) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1F8343D45 for ; Thu, 19 Aug 2004 10:29:09 +0000 (GMT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dirg.bris.ac.uk with esmtp (Exim 4.34) id 1BxkAG-0005py-AO; Thu, 19 Aug 2004 11:29:03 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 4.34) id 1Bxk87-0004Jz-9t; Thu, 19 Aug 2004 11:26:47 +0100 Date: Thu, 19 Aug 2004 11:26:47 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Brett Glass In-Reply-To: <6.1.1.1.2.20040818174540.08540a60@localhost> Message-ID: References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> <20040818205440.GL9800@zot.electricrain.com> <6.1.1.1.2.20040818174540.08540a60@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: 0.0 X-Spam-Level: / cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 10:29:10 -0000 On Wed, 18 Aug 2004, Brett Glass wrote: > At 02:54 PM 8/18/2004, Chris Doherty wrote: > > >what you can do, if you have a proper attack formula, is find *a* message > >that produces *that one hash*. that is, if I have message M which produces > >hash H, I can use the attack to find *a* message M' which will also > >produce hash H. > > The thing is, passwords are short and have limited entropy. Chances are, > if you find a password that produces the same hash, it's M. Details in the paper are few, but I don't think what Chris describes in the snippet Brett quotes is what's necessarily happening. That is, for any given MD5 initial state, they seem to be saying that they can find two related messages that produce the same hash. NOT that they necessarily can find a message with the same has as a _given_ message. Which I guess means that they can tack two different strings on the end of any arbitrary file (since they claim they can attack an arbitrary IV) and the resulting two files will also have the same MD5 hash, but that won't be the MD5 of the original. The two appended strings are effectively random, and differ from each other only in a few bits. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Hang on, wasn't he holding a wooden parrot? No! It was a porcelain owl.