[wrong] CIA Internal Documents use Broken Hash to Verify File Integrity
Everyone here already knows this I'm sure, but it's still confusing the heck out of me. In the hive docs at https://archive.org/stream/CIAVAULT7PDFFILES/UsersGuide_djvu.txt or at wikileaks or in the hiver source, files are paired with md5 hashes. These are also used elsewhere. Release snapshots are also paired only with md5 hashes. Here's some text from https://en.wikipedia.org/wiki/MD5#Security . My phone misbehaved very severely while pasting this text in, with multiple applications popping up unexpectedly and rapidly flashing over each other with sounds and UI elements ceasing to function. I got the text in fully with only 1 reboot by finding alternative ways in the phone of working with it. Security The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor (complexity of 224.1).[19] Further, there is also a chosen-prefix collision attack that can produce a collision for two inputs with specified prefixes within seconds, using off-the-shelf computing hardware (complexity 239).[20] The ability to find collisions has been greatly aided by the use of off-the-shelf GPUs. On an NVIDIA GeForce 8400GS graphics processor, 16–18 million hashes per second can be computed. An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes per second.[21] These hash and collision attacks have been demonstrated in the public in various situations, including colliding document files[22][23] and digital certificates.[24] As of 2015, MD5 was demonstrated to be still quite widely used, most notably by security research and antivirus companies.[25] As of 2019, one quarter of widely used content management systems were reported to still use MD5 for password hashing.[6] Overview of security issues In 1996, a flaw was found in the design of MD5. While it was not deemed a fatal weakness at the time, cryptographers began recommending the use of other algorithms, such as SHA-1, which has since been found to be vulnerable as well.[26] In 2004 it was shown that MD5 is not collision-resistant.[27] As such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property for digital security. Also in 2004 researchers discovered more serious flaws in MD5, and described a feasible collision attack -- a method to create a pair of inputs for which MD5 produces identical checksums.[7][28] Further advances were made in breaking MD5 in 2005, 2006, and 2007.[29] In December 2008, a group of researchers used this technique to fake SSL certificate validity.[24][30] As of 2010, the CMU Software Engineering Institute considers MD5 "cryptographically broken and unsuitable for further use",[31] and most U.S. government applications now require the SHA-2 family of hash functions.[32] In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature.[33] Collision vulnerabilities Further information: Collision attack In 1996, collisions were found in the compression function of MD5, and Hans Dobbertin wrote in the RSA Laboratories technical newsletter, "The presented attack does not yet threaten practical applications of MD5, but it comes rather close ... in the future MD5 should no longer be implemented ... where a collision-resistant hash function is required."[34] In 2005, researchers were able to create pairs of PostScript documents[35] and X.509 certificates[36] with the same hash. Later that year, MD5's designer Ron Rivest wrote that "md5 and sha1 are both clearly broken (in terms of collision-resistance)".[37] On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate that appeared to be legitimate when checked by its MD5 hash.[24] The researchers used a PS3 cluster at the EPFL in Lausanne, Switzerland[38] to change a normal SSL certificate issued by RapidSSL into a working CA certificate for that issuer, which could then be used to create other certificates that would appear to be legitimate and issued by RapidSSL. VeriSign, the issuers of RapidSSL certificates, said they stopped issuing new certificates using MD5 as their checksum algorithm for RapidSSL once the vulnerability was announced.[39] Although Verisign declined to revoke existing certificates signed using MD5, their response was considered adequate by the authors of the exploit (Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger).[24] Bruce Schneier wrote of the attack that "we already knew that MD5 is a broken hash function" and that "no one should be using MD5 anymore".[40] The SSL researchers wrote, "Our desired impact is that Certification Authorities will stop using MD5 in issuing new certificates. We also hope that use of MD5 in other applications will be reconsidered as well."[24] In 2012, according to Microsoft, the authors of the Flame malware used an MD5 collision to forge a Windows code-signing certificate.[33] MD5 uses the Merkle–Damgård construction, so if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more likely to be accepted as valid data by the application using it. Furthermore, current collision-finding techniques allow to specify an arbitrary prefix: an attacker can create two colliding files that both begin with the same content. All the attacker needs to generate two colliding files is a template file with a 128-byte block of data, aligned on a 64-byte boundary, that can be changed freely by the collision-finding algorithm. An example MD5 collision, with the two messages differing in 6 bits, is: d131dd02c5e6eec4 693d9a0698aff95c 2fcab58712467eab 4004583eb8fb7f89 55ad340609f4b302 83e488832571415a 085125e8f7cdc99f d91dbdf280373c5b d8823e3156348f5b ae6dacd436c919c6 dd53e2b487da03fd 02396306d248cda0 e99f33420f577ee8 ce54b67080a80d1e c69821bcb6a88393 96f9652b6ff72a70 d131dd02c5e6eec4 693d9a0698aff95c 2fcab50712467eab 4004583eb8fb7f89 55ad340609f4b302 83e4888325f1415a 085125e8f7cdc99f d91dbd7280373c5b d8823e3156348f5b ae6dacd436c919c6 dd53e23487da03fd 02396306d248cda0 e99f33420f577ee8 ce54b67080280d1e c69821bcb6a88393 96f965ab6ff72a70 Both produce the MD5 hash 79054025255fb1a26e4bc422aef54eb4.[41] The difference between the two samples is that the leading bit in each nibble has been flipped. For example, the 20th byte (offset 0x13) in the top sample, 0x87, is 10000111 in binary. The leading bit in the byte (also the leading bit in the first nibble) is flipped to make 00000111, which is 0x07, as shown in the lower sample. Later it was also found to be possible to construct collisions between two files with separately chosen prefixes. This technique was used in the creation of the rogue CA certificate in 2008. A new variant of parallelized collision searching using MPI was proposed by Anton Kuznetsov in 2014, which allowed finding a collision in 11 hours on a computing cluster.[42] Preimage vulnerability In April 2009, an attack against MD5 was published that breaks MD5's preimage resistance. This attack is only theoretical, with a computational complexity of 2123.4 for full preimage.[43][44]
So, what is going on that the CIA is using the MD5 hash? Basically, this means that someone somewhere wants to something to be altered that has an md5 hash, and either this branch of the CIA is the target, or the impact of the effort reached and influenced them somehow. - the cia could be watching, like a honeypot in your own systems - the nsa or such could be infiltrating the cia - the cia could be blindly following very old norms out of chance - security businesses could be planning to take over the govnment - foreign militaries could have been psyoping american military research - cia employees could have been planning to take over their government it could be anything. but whatever it is, it seems important to understand what. who, in 2013, was using _better_ hashes than md5?
participants (1)
-
Karl