Slashdot Mirror

← Back to Stories (view on slashdot.org)

MD5 Proven Ineffective for App Signatures

Posted by Zonk on from the needs-a-bit-of-retooling dept.

prostoalex writes "Marc Stevens, Arjen K. Lenstra, and Benne de Weger have released their paper 'Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5'. It describes a reproducible attack on MD5 algorithms to fake software signatures. Researchers start off with two simplistic Windows applications — HelloWorld.exe and GoodbyeWorld.exe, and apply a known prefix attack that makes md5() signatures for both of the applications identical. Researchers point out: 'For abusing a chosen-prefix collision on a software integrity protection or a code signing scheme, the attacker should be able to manipulate the files before they are being hashed and/or signed. This may mean that the attacker needs insider access to the party operating the trusted software integrity protection or code signing process.'"

2 of 117 comments (clear)

  1. But what of the Crime Wave ?? by Anonymous Coward · · Score: -1, Offtopic

    What of the Crime Wave Thwarted in Second Life ?? Could this nullify the thwartedness of that which thwarted the Crime Wave ?? In Second life? Which begs to question, don't you have to have a life before you can have a second life ?? Damn, so many important considerations to consider thanks to here.

  2. evil linux iso? by Anonymous Coward · · Score: -1, Offtopic

    how many linux computer are infested with trojan?

    linux isn't secure anymore.