From: "RayLopez99" <
[email protected]>
| Thanks for this, it was interesting.
| However, if you read it carefully you see they are really talking
| about something slightly different: s/w integrity or code signing.
| That's when you download a file and want to make sure you did not make
| a mistake, or download malware.
| My question is different: suppose you find a file on your PC that you
| think is malware. You should be able to go to the source of the file,
| say Microsoft, and ask them what the SHA1 hash (or some other hash)
| is. Then you can check out the hash and see if they match. This
| paper specifically addresses the issue of how you can confuse the hash
| to look like malware or a legitimate program, but it assumes the user
| does not know what the 'good' hash signature is for the legitimate
| program (read the abstract carefully and see). I'm saying publishers
| should publish what the good hash is.
| RL
| It is important to note that the hash value shared by the two
| different files is a result of the collision construction process. We
| cannot target a given hash value, and produce a (meaningful) input bit
| string hashing to that given value. In cryptographic terms: our attack
| is an attack on collision resistance, not on preimage or second
| preimage resistance. This implies that both colliding files have to be
| specially prepared by the attacker, before they are published on a
| download site or presented for signing by a code signing scheme.
| Existing files with a known hash that have not been prepared in this
| way are not vulnerable.
| MD5 should no longer be used as a hash function for software integrity
| or code signing purposes.
| By now, everyone should be aware of this. If you are still using MD5,
| it would be good to carefully analyse the risks that result from its
| continued usage.
| Note that also the collision resistance of SHA-1 does not live up to
| its design criteria anymore, though attacking SHA-1 is still much more
| difficult than attacking MD5. See the IAIK Krypto collision website
| for the present state of affairs.
MD5 is used and the important part on the web page starts...
"We now present our proof of concept pair of Win32 executable files that have different
functionality but identical MD5 hash values."