Slashdot Log In
MD5 To Be Considered Harmful Someday
Posted by
michael
on Tue Dec 07, 2004 04:06 PM
from the house-built-on-sand dept.
from the house-built-on-sand dept.
Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."
This discussion has been archived.
No new comments can be posted.
MD5 To Be Considered Harmful Someday
|
Log In/Create an Account
| Top
| 401 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
damn (Score:2, Interesting)
Re:damn (Score:4, Insightful)
(http://www.networkboy.net/)
-nB
Re:damn (Score:5, Insightful)
Another condition is obviously that the message should not be reconstructable from the hash.
Almost forgot (Score:4, Interesting)
(http://slashdot.org/ | Last Journal: Saturday November 03, @04:58AM)
Where time isn't critical (eg: creating and validating checksums for files), I'd say use both. The overhead isn't great, and you'd get much more security.
Where time is critical AND you don't have to be concerned with computers not under your control, use Whirlpool. Rijndael is fast, SHA-1 is slow. Whirlpool also offers a longer hash string than SHA-1.
In any other situation, use SHA-1. Whirlpool might turn out to be the greatest algorithm out there, but that doesn't help if you're trying to talk to a remote computer that doesn't support it.
Re:damn (Score:5, Interesting)
(http://slashdot.org/)
Yes, but a good hash makes it *extremely* difficult to find them. MD5 is looking pretty mediocre right now.
Two files with the same md5 hash? (Score:5, Funny)
Re:Two files with the same md5 hash? (Score:5, Informative)
(http://www.touset.org/)
MP5 harmful? No way! (Score:5, Funny)
(http://finnbiff.multiply.com/ | Last Journal: Saturday May 12 2007, @10:04AM)
Exploit? (Score:5, Interesting)
(http://fedoraproject.org/wiki/JonCiesla | Last Journal: Thursday December 05 2002, @02:46PM)
Re:Exploit? (Score:4, Insightful)
(Last Journal: Tuesday September 07 2004, @10:01PM)
Re: Exploit? (Score:4, Informative)
This would worry me, except that BT uses SHA1, not MD5, so this is irrelevant. MD5 has seemed suspect for years, & Bram's the sort to pay attention to that sort of thing.
I checked; Edonkey is based on MD4. Gnutella variants might use MD5.
Re:Exploit? (Score:4, Informative)
file1: xxxxccccccc....
file2: yyyyccccccc....
%file1 = %file2
Which is the example given in the article.
However, Wang said she could get to a collision from any intermediate hash code within the hour (according to the article). That would mean:
file1: ccccxxxxccccccccc......
file2: ccccyyyyccccccccc......
%file1 = %file2
Where xxxx and yyyy are (pre?)calculated and cccc.... is the payload.
If _I_ am not mistaken.
In english (Score:4, Funny)
Re:In english (Score:5, Informative)
Short version: A common technology for verifying that a file you've downloaded is legitimate and untampered-with, known as MD5, isn't as secure as people thought.
Slightly longer version: MD5 is a way of generating a checksum -- a single, comparable value -- from a file. Ideally it is supposed to give you different numbers for different files, so if a web site advertises the checksum a file should have, you can compare that with one generated from the file you actually got to see whether the file you've downloaded has been modified, potentially maliciously.
The research shows that it is possible for someone to construct a drop-in replacement for the file you thought you had that generates the same MD5 checksum as the original, so anyone attempting to validate the file this way would think they had the real thing. If it turns out that you can construct a damaging replacement for a common file -- perhaps an installer for a popular application like Firefox or OpenOffice that's usually downloaded from a public server -- then this could open a loophole for viruses, worms, etc. that would slip through the security net often used by cautious people when downloading such programs.
What does this mean (Score:2)
Good analysis (Score:5, Funny)
I am glad somebody does.
Re:Good analysis (Score:4, Funny)
Homer: Say it in English, Doc.
Hibbert: You're going to need open heart surgery.
Homer: Spare me your medical mumbo jumbo.
Hibbert: We're going to cut you open and tinker with your ticker.
Homer: Could you dumb it down a shade?
http://www.tvtome.com/tvtome/servlet/GuidePageSer
Let's face it (Score:3, Insightful)
Cryptographic stacking potentially harmful (Score:4, Insightful)
(http://www.iccs.inf.ed.ac.uk/~s0239229/ | Last Journal: Wednesday May 23 2007, @03:28AM)
Maybe, maybe not. The new technique would certainly be more difficult to analyse mathematically, but just stacking complicated but flawed methods does not necessarily result in a more secure method: typically, the security of the weakest link determines the security of the whole system.
What you say reminds me of Don Knuth's experience when he wrote his first innocent 'super' pseudo random number generator (reported in his Art of Computer Programming, Volume 2, page 4: "Algorithm K" ;-): he composed all sorts of complicated operations, but had to learn the resulting number sequence was far from more (pseudo-)random, in fact much worse than the the standard 1-line modulo function.
Another case of (false sense of) security through obscurity?
--
Try Nuggets [mynuggets.net], our SMS search engine which uses question answering technology; now available across the UK.
md5 vs sha1 vs ? (Score:5, Informative)
(http://guerillartivism.net/ | Last Journal: Monday July 11 2005, @05:48PM)
here is a very good link about the algo...
This is almost appropriate... (Score:4, Funny)
And your double-clicking icon puts your window in the trash,
And your data is corrupted 'cause the index doesn't hash,
Then your situation's hopeless and your system's gonna crash!
Correct me if I'm wrong, but... (Score:5, Insightful)
(http://www.youtube.com/watch?v=bA-DReZYftg | Last Journal: Sunday November 12 2006, @01:05AM)
He can create a file that MD5sum's to the same result as a legitimate file, but does not have full control over the content or size of the result (making this a mostly useless avenue of exploitation except for people who want to spread trash on P2P networks -- I.E. it shouldn't particularly bother anyone except people who already don't care about security).
Or he can create two files that MD5sum to the same result. But he has to have control over both files, which offers effectively no advantage to someone who is trying to spread malware or tamper with existing archives that have been MD5summed.
Consequently, while this is of academic interest I don't see what the big deal is; any time you reduce a large file to a fingerprint you will inevitably run into problems like this because it is impossible to represent one-to-one every individual possible combination of a large set of data in smaller sets ("fingerprints"). You can reduce the risk by increasing the set domain with a larger variadic function but it is impossible to escape this constraint without using fingerprints as large as the data itself.
Re:Correct me if I'm wrong, but... (Score:4, Informative)
(http://blog.case.edu/moof/)
Re:Correct me if I'm wrong, but... (Score:5, Insightful)
(http://www.cs.cmu.edu/~leak)
Secondly, this is quite a signifigant break. Once a hash function has had an attack like this discovered, it often becomes completely useless not long down the road. I work in cryptography, and the people I know have written off MD5. Heck, the people I know are also quite worried about SHA-1, and the current best attack against that one isn't nearly as strong.
The upshot of this is that this hash function should NOT be considered secure any more. For now, if you are not protecting anything of high value, you're probably fine. Tomorrow? Possbily. But soon, you're not going to be protected at all, and so you should start worrying about that now, instead of when you're already in trouble.
Lea
You're wrong. (Score:5, Informative)
He can create a file that MD5sum's to the same result as a legitimate file, but does not have full control over the content or size of the result (making this a mostly useless avenue of exploitation except for people who want to spread trash on P2P networks -- I.E. it shouldn't particularly bother anyone except people who already don't care about security).
Suppose you're storing passwords as encrypted hashes, so that intercepting the hashes doesn't tell you what the password is. But if you can generate a password to match that MD5...
You know that GPG keys are identified and signed by their MD5 hashes? Suppose that I can generate a GPG key that would be identified as yours, and distributed it.
Or he can create two files that MD5sum to the same result. But he has to have control over both files, which offers effectively no advantage to someone who is trying to spread malware or tamper with existing archives that have been MD5summed.
There's a coin-flipping protocol that goes as follows. Suppose that Alice and Bob want to flip a coin (over the Internet), but they don't trust each other.
Now, suppose that Alice generated multiple files in step 1. When Bob makes his guess, she tries to pick a file that will make her win. If she generated only two files, completely randomly, this would let Alice win 75% of the time.
These are just the first ideas I thought of. If I were looking for other problems, I'd think about undeniable signatures [rsasecurity.com], keysigning (which as GPG and X.509 SSL are heavily based on) and other specialized signature systems. In particular, I expect that the first type of crack could cause issues with SSH keys, both user keys (used for authentication) and host keys (to prevent man-in-the-middle attacks).
Digital signatures are used for much more than just testing for file tampering.
I have a novel solution (Score:1)
(http://www.quux.info/)
Buy it instead.
I'm kidding. I download Linux distro's via bittorrent all the time and willfully ignore the MD5 sum, and now I come to find that it's compromisable. OH SNAP!
I can envision something being added on to bittorrent to prevent bad blocks being passed around via ... magic. Okay. I can't really envision it, but I'm sure it can be done.
On to the next topic I'm not qualified to comment on...
Not just MD5 (Score:3, Interesting)
SHA-256 is a good replacement. SHA-1 should be fine but if you are going through the trouble of an upgrade, why not make it sufficiently future proof?
If I Had A Million Terabytes... (Score:5, Funny)
Two files with the same MD5 hash at once. Aaw yeah.
FYI (Score:1)
The exploit has used the properties of the MD5 algorithm to create two executable files with the same MD5 sum.
The "Detailed Summary" (Score:5, Informative)
(http://www.doxpara.com/)
I've been doing some analysis on MD5 collision announced by Wang et al. Short version: Yes, Virginia, there is no such thing as a safe hash collision -- at least in a function that's specified to be cryptographically secure. The full details may be acquired at the following link:
http://www.doxpara.com/md5_someday.pdf
A tool, Stripwire, has been assembled to demonstrate some of the attacks described in the paper. It may be acquired at the following address:
http://www.doxpara.com/stripwire-1.1.tar.gz
Incidentally, the expectations management is by no means accidental -- the paper's titled "MD5 To Be Considered Harmful Someday" for a reason. Some people have said there's no applied implications to Joux and Wang's research. They're wrong; arbitrary payloads can be successfully integrated into a hash collision. But the attacks are not wildly practical, and in most cases exposure remains thankfully limited, for now. But the risks are real enough that responsible engineers should take note: This is not merely an academic threat, systems designed with MD5 now need to take far more care than they would if they were employing an unbroken hashing algorithm, and the problems are only going to get worse.
Some highlights from the paper:
* The attack itself is pretty limited -- essentially, we can create "doppelganger" blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum.
* MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. This leads to...
* Attacks are possible using only the proof of concept test vectors released by Wang -- the actual attack is not necessary.
* Stripwire emits two binary packages. They both contain an arbitrary payload, but the payload is encrypted with AES. Only one of the packages ("Fire") is decryptable and thus dangerous; the other ("Ice") shields its data behind AES. Both files share the same MD5 hash.
* Digital Signature systems are vulnerable, as they almost always sign a hashed representation of data rather than the data itself.
* This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely "activated", without the MD5 changing. This has implications for Tripwire, DRM, and several package management architectures.
* HMAC's invulnerability has been slightly overstated. It's definitely possible, given the key, to create two datasets with the same HMAC. Attacker possession of the key violates MAC presumptions, so the impact of this is particularly questionable.
* Very interesting possibilities open up once the full attack is made available -- among other things, we can create self-decrypting executables (fire.exe and ice.exe) that exhibit differential behavior based on their internal colliding payloads. They'll still have the same MD5 hash.
* Several doppelgangers may (relatively quickly, as per Joux) be computed within a single multicollision-friendly block. As such, the particular selection of doppelganger sets within a file can itself be made to represent data. It's relatively straightforward to embed a 128 bit signature inside an arbitrary file, in such a way that no matter the value of the signature, a constant MD5 hash is maintained. This is curiously steganographic.
* Many popular P2P networks (and innumerable distributed content databases) use MD5 hashes as both a reliable search handle and a mechanism to ensure file integrity. This makes them blind to any sign
Cash Money? (Score:2)
(http://grendel.dyndns.org/)
--grendel drago
I studied different hashes.. (Score:1, Funny)
______ with be harmful/obsolete in the future.. (Score:3, Insightful)
For the most part, big deal, all of current security procedures will be harmful ie compromised in the future...
Solution: Use more than one hash algorithm (Score:3, Informative)
(http://itheresies.blogspot.com/ | Last Journal: Wednesday April 28 2004, @12:06AM)
Using MD5 with SHA1, or even the older MD2 or MD4 will reduce the probability of creating a compatable binary with the same checksum to virtually zero.
If only one checksum is required then just XOR the resulting checksums from each algorithm.
birthday attack (Score:2)
(heh, Wang)
Switching to SHA1 (Score:2)
md5_hex to sha1_hex