MD5 weakness ? [was Re: Netscape Log

Germain Arthur agermain at cmp.com
Wed Oct 25 06:31:25 PDT 1995



I have unsubscribed from this mailing list. Please remove my name from   
your personal address lists. Thanks.

ahg3

 ----------
From:  Steve Bryan[SMTP:sbryan at maroon.tc.umn.edu]
Sent:  Tuesday, October 24, 1995 3:08 PM
To:  Dr. Frederick B. Cohen
Cc:  cypherpunks
Subject:  Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by   
IETF]


Dr. Frederick B. Cohen writes:

>In the case of the trust being placed in MD5 by Netscape, the assumption
>being made (without adequate support as far as I can tell) is that an
>MD5 checksum cannot be forced, through a chosen plaintext attack, to
>yield checksums of 1, 2, 3, 5, 7, 9, ...  on up to enough primes to
>allow the known plaintext attack that gets the RSA private key used to
>authenticate messages.  As far as I am aware (and I may not be aware of
>everything) there is no reference work to support this assumption.  If
>the assumption is wrong, then the whole SSL can fall to a selected
>plaintext attack launchable (presumably) through those general purpose
>Java aplets we have heard so much about.

With a mailing list this large and diverse one can reasonably assume a   
range
 of interests and expertise. What I don't understand is your agnostic   
stance
 on something as apparently basic as MD5. If computer security is your
 purported area of expertise why have you not reached any firm   
conclusions
 about it? I understand that rigid conclusions are unsafe (eg they'll   
never
 prove Fermat's last theorem) but it is not like every question is   
equally
 open. Do you have a realistic attack on MD5 or is this sophomoric   
claptrap?
 How do you propose to generate messages with specific message digests?
 Assuming you could somehow, how do you proceed to use that information   
to
 your advantage? So let's say I have a message digest and I'm retrieving   
the
 allegedly corresponding message which you have the opportunity to alter   
to
 your heart's content. How would you proceed, even in principle, to   
defeat
 MD5? I realize I might be assuming too much when I posit that I have the
 true MD5 for the message but my understanding is that you feel that MD5
 might be vulnerable. I've given you all the known plaintexts. Is there a
 next step?

+----------------------------------------------------------------------
|Steve Bryan                Internet: sbryan at gofast.net
|Sexton Software          CompuServe: 76545,527
|Minneapolis, MN                 Fax: (612) 929-1799
|PGP key fingerprint: B4 C6 E2 A6 5F 87 57 7D  E1 8C A6 9B A9 BE 96 CB
+----------------------------------------------------------------------










More information about the cypherpunks-legacy mailing list