From: fc@all.net (Dr. Frederick B. Cohen)
To: dl@hplyot.obspm.fr (Laurent Demailly)
Message Hash: 53de121b7678563767da6accb23fe93c40b908d6d04dce9ef6dae82d7e636ffb
Message ID: <9510241442.AA12411@all.net>
Reply To: <9510241425.AA08815@hplyot.obspm.fr>
UTC Datetime: 1995-10-24 14:46:20 UTC
Raw Date: Tue, 24 Oct 95 07:46:20 PDT
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Tue, 24 Oct 95 07:46:20 PDT
To: dl@hplyot.obspm.fr (Laurent Demailly)
Subject: Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF]
In-Reply-To: <9510241425.AA08815@hplyot.obspm.fr>
Message-ID: <9510241442.AA12411@all.net>
MIME-Version: 1.0
Content-Type: text
> > [...] uses an MD5 checksum which the members
> > of this list seem to place unlimited trust in (incorrectly in my view,
> > but that would be picking two nits with one keyboard entry).
>
> Can you elaborate with facts on the supposed weakness of MD5 ?
I didn't say that there were any weaknesses in MD5, all I said was:
"unlimited trust ... (incorrectly in my view...)"
The lack of adequate demonstration of strength is not the same as a
weakness. It represents only a lack of adequate assurance for placing
more than a certain amount of trust in MD5 for the purpose it is being
used to accomplish.
As to weaknesses, I seem to remember that someone managed to forge a
modification to a program used to observe networks on a Sun so that it
had the same MD5 checksum as the official trusted version. But whether
this is real is not strictly the issue.
In the case of the trust being placed in MD5 by Netscape, the assumption
being made (without adequate support as far as I can tell) is that an
MD5 checksum cannot be forced, through a chosen plaintext attack, to
yield checksums of 1, 2, 3, 5, 7, 9, ... on up to enough primes to
allow the known plaintext attack that gets the RSA private key used to
authenticate messages. As far as I am aware (and I may not be aware of
everything) there is no reference work to support this assumption. If
the assumption is wrong, then the whole SSL can fall to a selected
plaintext attack launchable (presumably) through those general purpose
Java aplets we have heard so much about.
> [btw who talked about 'unlimited' trust ?]
There has been no limit given by anyone on this list to the level of
trust they place in MD5. Several people have posted (without
contention) that MD5 is sufficiently trustworthy to trust billions of
dollars in commerce to it's being able to prevent a selected plaintext
attack as eluded to above. If you think we should trust it, and you
don't limit your assessment of trust, what other assumption should I
make? If several people proclaim that trust and nobody stands up in
disagreement, tacit agreement is my normal (although not necessarily
justified) assumption.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to October 1995
Return to “Simon Spero <ses@tipper.oit.unc.edu>”