Slashdot Mirror

← Back to Stories (view on slashdot.org)

Practical Exploits of Broken MD5 Algorithm

Posted by CowboyNeal on from the as-news-breaks-so-does-encryption dept.

jose parinas writes "A practical sample of an MD5 exploit can be found, with source code included,in codeproject, a site for .Net programmers. The intent of the demos is to demonstrate a very specific type of attack that exploits the inherent trust of an MD5 hash. It's sort of a semi-social engineering attack. At Microsoft, the MD5 hash functions are banned. The main problem is that the attack is directed to the distribution of software process, as you can understand reading the paper, Considered Harmful Someday. Some open source programs, like RPM, use MD5, and in many open source distributions MD5 is used as check sum."

9 of 253 comments (clear)

  1. So if you need a freely available hash algorithm by MadMoses · · Score: 4, Informative

    ...better use Tiger or Whirlpool (based on AES). AFAIK there are no known vulnerabilities or attacks for these two yet.

    --

    Do not be alarmed. This is only a test.
  2. A quick note by Darren+Winsper · · Score: 4, Informative

    This seems to work on the assumption that you want to do some harm with a program you created yourself, you can't actually take a random RPM and turn it into an evil RPM with the same MD5. So, yes, it's bad, but it's not as bad as you might think.

  3. Re:Checksums are always going to be vulnerable by Anonymous Coward · · Score: 5, Informative

    This completely misses the point of cryptographic hashes.

    The point is that it is supposed to be difficult to find another data set which hashes to the same value without doing a brute-force search. Of course you will get collisions, but the changes are (supposed to be) 1 in 2^80 with MD5 or 1 in 2^128 with SHA-1.

    The exploits mentioned above are that the algorithms (MD5 and to some extent SHA-1) have been broken to allow you to construct a piece of data which hashes to the same value as the original. This is VERY different from the fact that you get collisions.

  4. Re:Checksums are always going to be vulnerable by ceeam · · Score: 4, Informative

    (sigh) Insightful, my ass... Checksums are NOT reversible. The main trick here is to replace one file with another and leave the hash/checksum the same by patching the fake file. (For practically every file format there exists a spare space where this patching could be done.)

  5. Actually RPM uses MD5 and SHA1 by seifried · · Score: 5, Informative

    RPM uses both MD5 and SHA1, the chances of finding a collision that satisfies both hashes is small, even if both MD5 and SHA1 are compromised since the hash the data differently.

    rpm -Kvv xorg-x11-libs-6.8.2-37.FC4.49.2.i386.rpm
    D: Expected size: 2655615 = lead(96)+sigs(344)+pad(0)+data(2655175)
    D: Actual size: 2655615
    D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
    D: locked db index /var/lib/rpm/Packages
    D: opening db index /var/lib/rpm/Pubkeys rdonly mode=0x0
    D: read h# 278 Header sanity check: OK
    D: ========== DSA pubkey id b44269d0 4f2a6fd2 (h#278)
    ./updates-released/packages/xorg-x11-libs-6.8.2-37 .FC4.49.2.i386.rpm:
    Header V3 DSA signature: OK, key ID 4f2a6fd2
    Header SHA1 digest: OK (f37bf5cb97db696f14133b90e23f2455b9f94587)
    MD5 digest: OK (8eda29837b6992876bd867df03b3b8af)
    V3 DSA signature: OK, key ID 4f2a6fd2
    D: closed db index /var/lib/rpm/Pubkeys
    D: closed db index /var/lib/rpm/Packages
    D: May free Score board((nil))

  6. Re:filesystems... by ArsenneLupin · · Score: 5, Informative
    Reiserfs (and lots of other filesystems ... and lots of other system components in general) might use hash functions to speed up lookups. These hash functions however do not need to be cryptographically secure. The hash (which is usually very short, so much that brute force would be feasible) is only used as an index into an array of "buckets". Each bucket may contain multiple files, and the system still uses a bit-by-bit comparison on the full names to find the correct entry.

    The point is to reduce the set among which to do an exhaustive search (one small hash bucket versus all known files on the system), and not to verify some kind of signature.

    Any successful attack on the hash would only be useful to make the system slow and unefficient (by making an excessive number of files end up in one bucket), but cannot corrupt it.

  7. Re:Checksums are always going to be vulnerable by Ckwop · · Score: 5, Informative

    But all that enables you to do is replace an MD5'd file with garbage that happens to have the same MD5 sum. It's hard to deliver a payload when you're limited to tricking a target into downloading what would be (essentially) a random string of ones and zeroes.


    At Toorcon this year, Dan Kaminsky showed how to generate two valid, nicely rendered, html files with the same hash . Basically, he injects javascript into the page to remove the rubbish at the begining of the file. But how often to do you view the source of a page you're visiting. It'd be hard for a layperson to notice this. Make no mistake about it, the collision attack is very dangerous.


    Simon

  8. Re:So if you need a freely available hash algorith by poopdeville · · Score: 5, Informative
    I am no cryptography expert so I can not read and understand those algorithms. But the fact that there are no known vilnerabilities for an algorithm doesn't make it secure. Maybe they are just not used as much as other well known algorithms. And therefore nobody has found vulnerabilities for them yet?

    This is a complicated issue. Generally, the security offered by an encryption algorithm isn't measured by its popular usage, but by the amount of time qualified professional cryptographyers/mathematicians/hackers have studied it without finding a critical vulnerability. My claim is probably too broad: there is no magical formula that determines how secure an algorithm is. But in depth work by professionals does endear confidence in an algorithm.

    As a general rule of thumb, it is wise to use an algorithm that has been seriously studied for 10-20 years. At this point, it is modern enough to withstand modern brute force attacks, and (hopefully) understood well enough to ensure that there are no structural vulnerabilities. If it is much older than that and still studied, it is likely because a flaw has been found and people are trying to push it as far as it goes.

    --
    After all, I am strangely colored.
  9. There are some limitations to this attack by GekkePrutser · · Score: 5, Informative

    As far as I know, the technique used for finding these MD5 collisions, cannot be performed with a GIVEN hash. So it's not possible to create, say, a copy of an already available RPM, add malicious code to it, and easily find some data to add to it to generate the same hash. This is not possible.

    The only thing the current 'crack' does is create two RANDOM input files that generate the same hashed output. So it's only useful for someone who can control both the 'original' and the 'malicious' version of the data which is being protected by an MD5 hash.

    So the dangers here are kind of limited though you could still do a lot of damage with it.