severity 788783 normal
kthxbye
On Wed, Jun 17, 2015 at 12:01:09PM +0100, Mark Wooding wrote:
> The best technique I can think of uses Kelsey and Schneier's expandable
> messages, which uses collisions in the underlying compression function
> to obtain a second preimage for the hash of a /very long/ original
> message. Because the original message is very long, there are lots of
> likely distinct chaining values obtained while hashing it. So the
> strategy is to look for collisions between these and intermediate values
> for your second-preimage message, so effectively you're searching for
> second preimages at the compression-function level, and get to count all
> of the applications of the compression function used to compute the hash
> of the challenge message towards your attack. But all of this still
> requires about 2^{128} compression-function applications total.
>
> There's a slight problem. You can't just stick the appropriate suffix
> of the target message onto the end of your second-preimage prefix,
> because there's a length in the final block. This is where the
> expandable messages come in, and this is where MD5's lack of collision
> resistance becomes significant: you look for a lot of collisions between
> message fragments of different lengths[1], so you can stitch them
> together to pad out the prefix to whatever length you need for the final
> block to come out right.It looks like I misread OpenSSH's key handling code, in that I missed the check for too many MPIs. That makes the chosen prefix attacks from Kuznetsov/Stevens less useful in this particular case. So I agree that in this case it is probably not sufficiently easy to be interesting, although I think we're both in agreement that MD5 should go away fast. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
