Ben Laurie blathering

MD5 Attacks on Arbitrary Messages

I’m somewhat behind the curve on this, this was announced a couple of weeks ago. But its an important result.

Stevens, Lenstra and de Weger have shown a collision between two chosen X.509 certificates. The exact method used to construct this collision is not yet documented, it seems, but I believe them – and they do provide an outline.

This is significant because previous attacks on MD5 gave essentially no control over the content of the colliding messages (that is, you can choose a common initial string, and then you get no control over the parts that differ between the two messages), whereas this one allows you to construct two completely different first parts and then append stuff that causes a collision.

Because its generally possible to find parts of a message that can be freely chosen (the field they use in the X.509 certificate is the modulus of the public key – another example they give is a word document with embedded graphics near the end) this gives a far more potent attack than previously available. Note that because the method is insensitive to intial hash values there\’s no requirement that the two initial parts match in any way at all – they can be different lengths and different content. Clearly there are some constraints due to block alignment – but I\’ll bet even those could be removed. So, in short, you can get pretty much anything to collide.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress