[Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

R. A. Hettinga mac_crypto@vmeng.com
Mon, 5 Apr 2004 15:49:47 -0500

--- begin forwarded text

Delivered-To: cryptography@metzdowd.com
From: "Anton Stiglic" <astiglic@okiok.com>
To: "Arnold G. Reinhold" <reinhold@world.std.com>,
	"Don Davis" <dtd@world.std.com>
Cc: <cryptography@metzdowd.com>
Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to
authenticate  software releases
Date: Mon, 5 Apr 2004 14:00:23 -0400
Organization: Okiok Lts
Sender: owner-cryptography@metzdowd.com

The attacks by Dobbertin on MD5 only allow to find collisions in the
compression function, not the whole MD5 hash.

But it is a sign that something might be fishy about MD5.

MD5 output is 128 bits.  There are two types of collision finding
attacks that can be applied.  In the first you are given a hash value
y = H(x), for some x, and try to find a different input x' that hashes
to the same output:  H(x) = H(x') = y.  This relates to 2nd-preimage
resistance.  This can be done on MD5 in 2^128 work factor.
The other attack is to find to arbitrary inputs x, x' such that
H(x) = H(x').  This relates to collision resistance.  This can be done
with good probability in 2^64 work factor.  Now, the problem
of having a malicious source code hash to the same value as good/valid
source code seems to be related more to the former, that is you have
some code that is checked-in, that gives some hash value Y, and you
want to find a different code (malicious one) that hashes to the same value.
You might be able to play with the valid code as well, giving you more
flexibility for the search of a collision, but you can't play to much
having this noticed by other developers.

I think that there are many other problems that are more of concern.  For
example hacking a web site (or mirror site) that contains code for download,
and changing the code along with the hash value of the code, or preventing
a developer from inserting some kind of trap door or Trojan.

But if you are given the choice between using MD5 and SHA1, I'd prefer
SHA1, but I wouldn't be concerned with someone using MD5 isntead of SHA1
for the time being. In other words, if I were to do a risk analysis, I would
the use of MD5 instead of SHA1 as one of the major risks.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

--- end forwarded text

R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'