256 lines
12 KiB
Plaintext
256 lines
12 KiB
Plaintext
Date: Sun, 25 Apr 93 13:53:36 PDT
|
|
Reply-To: <surfpunk@osc.versant.com>
|
|
Return-Path: <cocot@osc.versant.com>
|
|
Message-ID: <surfpunk-0081@SURFPUNK.Technical.Journal>
|
|
Mime-Version: 1.0
|
|
Content-Type: text/plain
|
|
From: surfpunk@osc.versant.com (cfrhqbpbyyvfvba)
|
|
To: surfpunk@osc.versant.com (SURFPUNK Technical Journal)
|
|
Subject: [surfpunk-0081] CRYPT: Pseudocollision in MD5; Pseudoencryption phone
|
|
|
|
Recently rumor has gone around about whether MD5 has been solved.
|
|
Here's a message from RSA about it. Then a parable about the clipper.
|
|
|
|
Let me elaborate on the MD5 thing. Someone asks whether MD5's inverse
|
|
problem or collision problem being solved would let others decrypt your
|
|
messages. Perhaps indirectly, but really what it would allow you to do
|
|
is to forge messages. If my friend Bob sends a secure message, he
|
|
signs not the message, but rather its MD5 hash. If I wanted to send a
|
|
message and sign it with his signature, to impersonate him, I would
|
|
find one of his public messages with his signature. Then I could come
|
|
up with a message that has the same hashing as his public message.
|
|
This might involve just adding new space characters to the message I
|
|
want him to sign. Then I copy his signature from his public message,
|
|
and put it on my message. It works because it signs the same hash code.
|
|
|
|
Because various control messages are also often signed with MD5, it may
|
|
also let me create bogus certificates of public keys. Down this path there
|
|
may be some ways of decrypting other people's messages, by providing
|
|
them a public key that I can invert, but letting them think it is a
|
|
public key that their friend can invert. But this is more indirect.
|
|
|
|
Some people get upset that SURFPUNK doesn't give away enough secrets.
|
|
So here's one: my face is one of those hidden in the cypherpunk
|
|
article in the new issue of WIRED. strick
|
|
________________________________________________________________________
|
|
________________________________________________________________________
|
|
|
|
|
|
Date: Fri, 23 Apr 93 17:15:07 PDT
|
|
From: burt@RSA.COM (Burt Kaliski)
|
|
To: rsaref-users@RSA.COM
|
|
Subject: Pseudocollisions in MD5
|
|
|
|
Following is a short note commenting on den Boer and Bosselaers'
|
|
recent work on the MD5 message-digest algorithm. Feel free to email
|
|
questions or further comments.
|
|
|
|
-- Burt Kaliski
|
|
RSA Laboratories
|
|
----------------------------------------------------------------------
|
|
\documentstyle[12pt]{article}
|
|
\begin{document}
|
|
|
|
\title{On ``Pseudocollisions'' in the MD5 Message-Digest Algorithm}
|
|
\author{Burton S. Kaliski Jr. \\
|
|
{\tt burt@rsa.com} \and
|
|
Matthew J.B. Robshaw \\
|
|
{\tt matt@rsa.com} \and
|
|
RSA Laboratories \\
|
|
100 Marine Parkway \\
|
|
Redwood City, CA 94065}
|
|
\date{April 23, 1993}
|
|
|
|
\maketitle
|
|
|
|
A message-digest algorithm maps a message of arbitrary length to a
|
|
``digest'' of fixed length, and has three properties: Computing the
|
|
digest is easy, finding a message with a given
|
|
digest---``inversion''---is hard, and finding two messages with the
|
|
same digest---``collision''---is also hard. Message-digest algorithms
|
|
have many applications, including digital signatures and message
|
|
authentication.
|
|
|
|
RSA Data Security's MD5 message-digest algorithm, developed by Ron
|
|
Rivest \cite{rfc-md5}, maps a message to a 128-bit message digest.
|
|
Computing the digest of a one-megabyte message takes as little as a
|
|
second. While no message-digest algorithm can yet be {\em proved}
|
|
secure, MD5 is believed to be at least as good as any other that maps
|
|
to a 128-bit digest. Inversion should take about $2^{128}$
|
|
operations, and collision should take about $2^{64}$ operations. No
|
|
one has found a faster approach to inversion or collision.
|
|
|
|
Recent work by den Boer and Bosselaers \cite{den-boer-md5} presents
|
|
a special kind of ``pseudocollision'' in MD5's
|
|
internal compression function, which maps
|
|
a 512-bit message block $x$ and a
|
|
128-bit input state $s$ to a 128-bit output
|
|
state. They show how to find a message block $x$
|
|
and two related input states $s_1$ and $s_2$ that yield the same
|
|
output state: $f(x,s_1)$ = $f(x,s_2)$. Their well-thought approach
|
|
exploits structural properties of the collision function to find
|
|
a pseudocollision in about $2^{16}$ operations, much less than one
|
|
would expect.
|
|
|
|
Practical implications of this pseudocollision work to the security of
|
|
MD5 are not evident. While a real collision in MD5 implies a
|
|
pseudocollision (or a ``pseudo-inversion''), a
|
|
pseudocollision need not imply a real collision. Indeed, a real
|
|
collision, since it involves two different messages, would almost
|
|
always involve {\em different} message blocks $x_1$ and $x_2$ such that
|
|
$f(x_1,s_1) = f(x_2,s_2)$, but the pseudocollisions have the same
|
|
message blocks. Moreover, the input states $s_1$ and $s_2$ would
|
|
generally be unrelated, but the pseudocollisions' input states are
|
|
the same except for four bits. There does not seem to be any way to
|
|
extend den Boer and Bosselaers' approach to anything beyond the
|
|
special pseudocollisions, a limitation they readily admit.
|
|
|
|
It is reasonable, therefore, to believe that MD5 remains secure. While den
|
|
Boer and Bosselaers have found interesting structural properties in
|
|
MD5, the properties seem only to lead to special pseudocollisions
|
|
and not anything approaching real collisions. Further research, of
|
|
course, will give a better understanding of the strengths of MD5 and
|
|
other message-digest algorithms, with the eventual hope that
|
|
such algorithms can, in some sense, be proved secure.
|
|
|
|
\bibliographystyle{plain}
|
|
\begin{thebibliography}{1}
|
|
|
|
\bibitem{den-boer-md5}
|
|
Bert den~Boer and Antoon Bosselaers.
|
|
\newblock Collisions for the compression function of {MD5}.
|
|
\newblock In {\it Advances in Cryptology --- Eurocrypt '93}, 1993.
|
|
\newblock Preprint.
|
|
|
|
\bibitem{rfc-md5}
|
|
R.L. Rivest.
|
|
\newblock {\it {RFC} 1321: The {MD5 Message-Digest Algorithm}}.
|
|
\newblock Internet Activities Board, April 1992.
|
|
|
|
\end{thebibliography}
|
|
|
|
\end{document}
|
|
|
|
|
|
________________________________________________________________________
|
|
|
|
Thanks: iansmith@cc.gatech.edu (Ian Smith)
|
|
|
|
Newsgroups: alt.privacy.clipper,sci.crypt
|
|
Subject: A Parable.
|
|
References: <1993Apr20.013747.4122@cs.sfu.ca> <1993Apr21.210353.15305@microsoft.com>
|
|
Organization: Partnership for an America Free Drug
|
|
|
|
scottmi@microsoft.com (Scott Miller (TechCom)) writes:
|
|
>Stikes me that all this concern over the government's ability
|
|
>to eavesdrop is a little overblown... what can't they do today?
|
|
>My understanding is that they already can tap, listen, get access
|
|
>exc. to our phone lines, bank records, etc. etc again.
|
|
|
|
Well, they can't listen in on much of mine, since I already use
|
|
cryptography for much of my electronic mail, and will start using it
|
|
for my telephony as soon as practical.
|
|
|
|
However, allow me to tell a parable.
|
|
|
|
There was once a far away land called Ruritania, and in Ruritania
|
|
there was a strange phenonmenon -- all the trees that grew in
|
|
Ruritainia were transparent. Now, in the days when people had lived in
|
|
mud huts, this had not been a problem, but now high-tech wood
|
|
technology had been developed, and in the new age of wood, everyone in
|
|
Ruritania found that their homes were all 100% see through. Now, until
|
|
this point, no one ever thought of allowing the police to spy on
|
|
someone's home, but the new technology made this tempting. This being
|
|
a civilized country, however, warrants were required to use binoculars
|
|
and watch someone in their home. The police, taking advantage of this,
|
|
would get warrants to use binoculars and peer in to see what was going
|
|
on. Occassionally, they would use binoculars without a warrant, but
|
|
everyone pretended that this didn't happen.
|
|
|
|
One day, a smart man invented paint -- and if you painted your house,
|
|
suddenly the police couldn't watch all your actions at will. Things
|
|
would go back to the way they were in the old age -- completely
|
|
private.
|
|
|
|
Indignant, the state decided to try to require that all homes have
|
|
video cameras installed in every nook and cranny. "After all", they
|
|
said, "with this new development crime could run rampant. Installing
|
|
video cameras doesn't mean that the police get any new capability --
|
|
they are just keeping the old one."
|
|
|
|
A wise man pointed out that citizens were not obligated to make the
|
|
lives of the police easy, that the police had survived all through the
|
|
mud hut age without being able to watch the citizens at will, and that
|
|
Ruritania was a civilized country where not everything that was
|
|
expedient was permitted. For instance, in a neighboring country, it
|
|
had been discovered that torture was an extremely effective way to
|
|
solve crimes. Ruritania had banned this practice in spite of its
|
|
expedience. Indeed, "why have warrants at all", he asked, "if we are
|
|
interested only in expedience?"
|
|
|
|
A famous paint technologist, Dorothy Quisling, intervened however. She
|
|
noted that people might take photographs of children masturbating
|
|
should the new paint technology be widely deployed without safeguards,
|
|
and the law was passed.
|
|
|
|
Soon it was discovered that some citizens would cover their mouths
|
|
while speaking to each other, thus preventing the police from reading
|
|
their lips through the video cameras. This had to be prevented, the
|
|
police said. After all, it was preventing them from conducting their
|
|
lawful surveilance. The wise man pointed out that the police had never
|
|
before been allowed to listen in on people's homes, but Dorothy
|
|
Quisling pointed out that people might use this new invention of
|
|
covering their mouths with veils to discuss the kidnapping and
|
|
mutilation of children. No one in the legislature wanted to be accused
|
|
of being in favor of mutilating children, but then again, no one
|
|
wanted to interfere in people's rights to wear what they liked, so a
|
|
compromise was reached whereby all homes were installed with
|
|
microphones in each room to accompany the video cameras. The wise man
|
|
lamented few if any child mutilations had ever been solved by the old
|
|
lip reading technology, but it was too late -- the microphones were
|
|
installed everwhere.
|
|
|
|
However, it was discovered that this was insufficient to prevent
|
|
citizens from hiding information from the authorities, because some of
|
|
them would cleverly speak in languages that the police could not
|
|
understand. A new law was proposed to force all citizens to speak at
|
|
all times only in Ruritanian, and, for good measure, to require that
|
|
they speak clearly and distinctly near the microphones. "After all",
|
|
Dorothy Quisling pointed out, "they might be using the opportunity to
|
|
speak in private to mask terrorist activities!" Terrorism struck
|
|
terror into everyone's hearts, and they rejoiced at the brulliance of
|
|
this new law.
|
|
|
|
Meanwhile, the wise man talked one evening to his friends on how all
|
|
of this was making a sham of the constitution of Ruritania, of which
|
|
all Ruritanians were proud. "Why", he asked, "are we obligated to
|
|
sacrifice all our freedom and privacy to make the lives of the police
|
|
easier? There isn't any real evidence that this makes any big dent in
|
|
crime anyway! All it does is make our privacy forfeit to the state!"
|
|
|
|
However, the wise man made the mistake of saying this, as the law
|
|
required, in Ruritanian, clearly and distinctly, and near a
|
|
microphone. Soon, the newly formed Ruritanian Secret Police arrived
|
|
and took him off, and got him to confess by torturing him. Torture
|
|
was, after all, far more efficient than the old methods, and had been
|
|
recently instituted to stop the recent wave of people thinking obscene
|
|
thoughts about tomatoes, which Dorothy Quisling noted was one of the
|
|
major problems of the new age of plenty and joy.
|
|
|
|
|
|
________________________________________________________________________
|
|
________________________________________________________________________
|
|
|
|
The SURFPUNK Technical Journal is a dangerous multinational hacker zine
|
|
originating near BARRNET in the fashionable western arm of the northern
|
|
California matrix. Quantum Californians appear in one of two states,
|
|
spin surf or spin punk. Undetected, we are both, or might be neither.
|
|
________________________________________________________________________
|
|
|
|
Send postings to <surfpunk@osc.versant.com>, subscription requests
|
|
to <surfpunk-request@osc.versant.com>. MIME encouraged.
|
|
Xanalogical archive access soon. Don't tell our lawyers.
|
|
________________________________________________________________________
|
|
________________________________________________________________________
|
|
|