From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 2 Jul 1996 01:14:24 +0800
To: "David F. Ogren" <ogren@cris.com>
Subject: Re: rsync and md4
In-Reply-To: <199607010605.CAA24104@darius.cris.com>
Message-ID: <199607011320.JAA20895@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



"David F. Ogren" writes:
> I stand by my statements.

Then you have lost all your reputation with me. If you don't even have
the integrity to admit that you are wrong, you are obviously not a
reasonable source of information.

> However, MD5 (and MD4) have not been completely cracked.  The problems that 
> you bring up have to do with situations where an active attacker develops a 
> slightly different pair of documents with the same hash.

I believe that is "cracked" under most definitions of cryptographic
hashes, Mr. Ogren. A cryptographic hash is supposed to be useable in a
signature precisely because it is supposed to be computationally
infeasable to find two documents with the same hash. Whether both
documents are chosen by the attacker or only one is immaterial -- the
property as stated is independant of that. As things stand, you can
get someone to sign a contract saying "I agree to pay David F. Ogren
$100" and turn it into one saying "I agree to pay David F. Ogren
$2395.39" or some such. If that isn't "cracked" what would be
"cracked"? Yes, it could be worse, but is this not far more than bad
enough?

> Although this is highly undesirable characteristic for a hash function, and 
> shows a weakness in the function that may eventually lead to its being 
> completely cracked, it does not mean that a fraudulent document can be 
> created from an already signed document.

Whatever you like, Mr. Ogren.

Perry