Slashdot Mirror

← Back to Stories (view on slashdot.org)

MD5 To Be Considered Harmful Someday

Posted by michael on from the house-built-on-sand dept.

Effugas writes "I've completed an applied security analysis (pdf) of MD5 given Xiaoyun Wang et al's collision attack (covered here and here). From an applied perspective, the attack itself is pretty limited -- essentially, we can create 'doppelganger' blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum. But MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. Wang released the two files needed (but not the collision finder itself). A tool, Stripwire, demonstrates the use of colliding datasets to create two executable packages with wildly different behavior but the same MD5 hash. The faults discovered are problematic but not yet fatal; developers (particularly of P2P software) who claim they'd like advance notice that their systems will fail should take note."

7 of 401 comments (clear)

  1. Two files with the same md5 hash? by Anonymous Coward · · Score: 5, Funny

    I can only hope I live that long.

  2. MP5 harmful? No way! by October_30th · · Score: 5, Funny

    Aha! So it was MD5 and not MP5...

    --
    The owls are not what they seem
  3. Good analysis by overbyj · · Score: 5, Funny

    By examining the MD5 hash using a sophisticated Fourier schema followed by deconvolution with a bit binary-inequal collision analysis, it is quite obvious I have no freaking clue what this stuff is about.

    I am glad somebody does.

    --
    No trees were harmed in the composition of this; however, numerous electrons were inconvenienced.
  4. Correct me if I'm wrong, but... by Sheetrock · · Score: 5, Insightful
    If I'm translating this properly, a malicious person can do two things with this knowledge:

    He can create a file that MD5sum's to the same result as a legitimate file, but does not have full control over the content or size of the result (making this a mostly useless avenue of exploitation except for people who want to spread trash on P2P networks -- I.E. it shouldn't particularly bother anyone except people who already don't care about security).

    Or he can create two files that MD5sum to the same result. But he has to have control over both files, which offers effectively no advantage to someone who is trying to spread malware or tamper with existing archives that have been MD5summed.

    Consequently, while this is of academic interest I don't see what the big deal is; any time you reduce a large file to a fingerprint you will inevitably run into problems like this because it is impossible to represent one-to-one every individual possible combination of a large set of data in smaller sets ("fingerprints"). You can reduce the risk by increasing the set domain with a larger variadic function but it is impossible to escape this constraint without using fingerprints as large as the data itself.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  5. If I Had A Million Terabytes... by Tackhead · · Score: 5, Funny
    If I had a million terabytes of storage, y'know what I'd do?

    Two files with the same MD5 hash at once. Aaw yeah.

  6. Re:damn by WolfWithoutAClause · · Score: 5, Interesting
    There will ALWAYS be collisions with any kind of hashing algorythm.

    Yes, but a good hash makes it *extremely* difficult to find them. MD5 is looking pretty mediocre right now.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  7. The "Detailed Summary" by Effugas · · Score: 5, Informative

    [This is the author]

    I've been doing some analysis on MD5 collision announced by Wang et al. Short version: Yes, Virginia, there is no such thing as a safe hash collision -- at least in a function that's specified to be cryptographically secure. The full details may be acquired at the following link:

    http://www.doxpara.com/md5_someday.pdf

    A tool, Stripwire, has been assembled to demonstrate some of the attacks described in the paper. It may be acquired at the following address:

    http://www.doxpara.com/stripwire-1.1.tar.gz

    Incidentally, the expectations management is by no means accidental -- the paper's titled "MD5 To Be Considered Harmful Someday" for a reason. Some people have said there's no applied implications to Joux and Wang's research. They're wrong; arbitrary payloads can be successfully integrated into a hash collision. But the attacks are not wildly practical, and in most cases exposure remains thankfully limited, for now. But the risks are real enough that responsible engineers should take note: This is not merely an academic threat, systems designed with MD5 now need to take far more care than they would if they were employing an unbroken hashing algorithm, and the problems are only going to get worse.

    Some highlights from the paper:

    * The attack itself is pretty limited -- essentially, we can create "doppelganger" blocks (my term) anywhere inside a file that may be swapped out, one for another, without altering the final MD5 hash. This lets us create any number of binary-inequal files with the same md5sum.

    * MD5 uses an appendable cascade construction -- in other words, if you happen to find yourself with two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash. This leads to...

    * Attacks are possible using only the proof of concept test vectors released by Wang -- the actual attack is not necessary.

    * Stripwire emits two binary packages. They both contain an arbitrary payload, but the payload is encrypted with AES. Only one of the packages ("Fire") is decryptable and thus dangerous; the other ("Ice") shields its data behind AES. Both files share the same MD5 hash.

    * Digital Signature systems are vulnerable, as they almost always sign a hashed representation of data rather than the data itself.

    * This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely "activated", without the MD5 changing. This has implications for Tripwire, DRM, and several package management architectures.

    * HMAC's invulnerability has been slightly overstated. It's definitely possible, given the key, to create two datasets with the same HMAC. Attacker possession of the key violates MAC presumptions, so the impact of this is particularly questionable.

    * Very interesting possibilities open up once the full attack is made available -- among other things, we can create self-decrypting executables (fire.exe and ice.exe) that exhibit differential behavior based on their internal colliding payloads. They'll still have the same MD5 hash.

    * Several doppelgangers may (relatively quickly, as per Joux) be computed within a single multicollision-friendly block. As such, the particular selection of doppelganger sets within a file can itself be made to represent data. It's relatively straightforward to embed a 128 bit signature inside an arbitrary file, in such a way that no matter the value of the signature, a constant MD5 hash is maintained. This is curiously steganographic.

    * Many popular P2P networks (and innumerable distributed content databases) use MD5 hashes as both a reliable search handle and a mechanism to ensure file integrity. This makes them blind to any sign