From: Laurent Demailly <dl@hplyot.obspm.fr>
Date: Tue, 24 Oct 95 10:46:44 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF]
In-Reply-To: <9510241425.AA08815@hplyot.obspm.fr>
Message-ID: <9510241745.AA10318@hplyot.obspm.fr>
MIME-Version: 1.0
Content-Type: text/plain


<grrrrrrr>

Frederick B. Cohen writes:
 > >  > [...] uses an MD5 checksum which the members
 > >  > of this list seem to place unlimited trust in (incorrectly in my view,
 > >  > but that would be picking two nits with one keyboard entry).

[me]> Can you elaborate WITH FACTS on the supposed weakness of MD5 ?
                        **********
I wonder what is your definition of facts...

 > I didn't say that there were any weaknesses in MD5, all I said was:
 > 	"unlimited trust ... (incorrectly in my view...)"
 > 
 > The lack of adequate demonstration of strength is not the same as a
 > weakness.  It represents only a lack of adequate assurance for placing
 > more than a certain amount of trust in MD5 for the purpose it is being
 > used to accomplish.
 > 
 > As to weaknesses, I seem to remember that someone managed to forge a
 > modification to a program used to observe networks on a Sun so that it
 > had the same MD5 checksum as the official trusted version.  But whether
This is absolute bullshit with a probability of (2^128-1)/2^128
 > this is real is not strictly the issue. 
On the contrary real things should be the issue... not random thoughts

 > In the case of the trust being placed in MD5 by Netscape, the assumption
 > being made (without adequate support as far as I can tell) is that an
because you can't tell 1+1=2 doesn't imply people have to worry...
 > MD5 checksum cannot be forced, through a chosen plaintext attack, to
 > yield checksums of 1, 2, 3, 5, 7, 9, ...  on up to enough primes to
 > allow the known plaintext attack that gets the RSA private key used to
 > authenticate messages.  As far as I am aware (and I may not be aware of
 > everything) there is no reference work to support this assumption.  If
The fact that you obviously didn't take the time to do any
search/reading on the subject does not allow you to go on with mad
assumptions... 
 > the assumption is wrong, then the whole SSL can fall to a selected
 > plaintext attack launchable (presumably) through those general purpose
 > Java aplets we have heard so much about.
FYI,  ( false => false ) is a true expression... starting from false
assumption you can demonstrate *anything*
{ if 1+1!=2, lots of things "fall"}
 [me]> [btw who talked about 'unlimited' trust ?]
 > There has been no limit given by anyone on this list to the level of
 > trust they place in MD5.  Several people have posted (without
 > contention) that MD5 is sufficiently trustworthy to trust billions of
 > dollars in commerce to it's being able to prevent a selected plaintext
 > attack as eluded to above.  If you think we should trust it, and you
 > don't limit your assessment of trust, what other assumption should I
 > make? If several people proclaim that trust and nobody stands up in
 > disagreement, tacit agreement is my normal (although not necessarily
 > justified) assumption. 

AGAIN, the limit is 2^128 computer operations (as I quoted from the rfc
days ago), which is imo certainly NOT the weakest part of the security
chain...

Do you actually read anything people are mailing or writing ?
</grrrrrrr>

sorry again, I feel tested...

dl
--
Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|...  Freedom
Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept

cracking SEAL Team 6 counter-intelligence DES Pasqua Qaddafi class
 struggle