[wrong] CIA Internal Documents use Broken Hash to Verify File Integrity

Karl gmkarl at gmail.com
Fri Dec 10 03:51:42 PST 2021


Everyone here already knows this I'm sure, but it's still confusing the
heck out of me.

In the hive docs at
https://archive.org/stream/CIAVAULT7PDFFILES/UsersGuide_djvu.txt or at
wikileaks or in the hiver source, files are paired with md5 hashes.  These
are also used elsewhere.  Release snapshots are also paired only with md5
hashes.

Here's some text from https://en.wikipedia.org/wiki/MD5#Security .  My
phone misbehaved very severely while pasting this text in, with multiple
applications popping up unexpectedly and rapidly flashing over each other
with sounds and UI elements ceasing to function.  I got the text in fully
with only 1 reboot by finding alternative ways in the phone of working with
it.

Security
The security of the MD5 hash function is severely compromised. A collision
attack exists that can find collisions within seconds on a computer with a
2.6 GHz Pentium 4 processor (complexity of 224.1).[19] Further, there is
also a chosen-prefix collision attack that can produce a collision for two
inputs with specified prefixes within seconds, using off-the-shelf
computing hardware (complexity 239).[20] The ability to find collisions has
been greatly aided by the use of off-the-shelf GPUs. On an NVIDIA GeForce
8400GS graphics processor, 16–18 million hashes per second can be computed.
An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes per
second.[21]

These hash and collision attacks have been demonstrated in the public in
various situations, including colliding document files[22][23] and digital
certificates.[24] As of 2015, MD5 was demonstrated to be still quite widely
used, most notably by security research and antivirus companies.[25]

As of 2019, one quarter of widely used content management systems were
reported to still use MD5 for password hashing.[6]

Overview of security issues
In 1996, a flaw was found in the design of MD5. While it was not deemed a
fatal weakness at the time, cryptographers began recommending the use of
other algorithms, such as SHA-1, which has since been found to be
vulnerable as well.[26] In 2004 it was shown that MD5 is not
collision-resistant.[27] As such, MD5 is not suitable for applications like
SSL certificates or digital signatures that rely on this property for
digital security. Also in 2004 researchers discovered more serious flaws in
MD5, and described a feasible collision attack -- a method to create a pair
of inputs for which MD5 produces identical checksums.[7][28] Further
advances were made in breaking MD5 in 2005, 2006, and 2007.[29] In December
2008, a group of researchers used this technique to fake SSL certificate
validity.[24][30]

As of 2010, the CMU Software Engineering Institute considers MD5
"cryptographically broken and unsuitable for further use",[31] and most
U.S. government applications now require the SHA-2 family of hash
functions.[32] In 2012, the Flame malware exploited the weaknesses in MD5
to fake a Microsoft digital signature.[33]

Collision vulnerabilities
Further information: Collision attack
In 1996, collisions were found in the compression function of MD5, and Hans
Dobbertin wrote in the RSA Laboratories technical newsletter, "The
presented attack does not yet threaten practical applications of MD5, but
it comes rather close ... in the future MD5 should no longer be implemented
... where a collision-resistant hash function is required."[34]

In 2005, researchers were able to create pairs of PostScript documents[35]
and X.509 certificates[36] with the same hash. Later that year, MD5's
designer Ron Rivest wrote that "md5 and sha1 are both clearly broken (in
terms of collision-resistance)".[37]

On 30 December 2008, a group of researchers announced at the 25th Chaos
Communication Congress how they had used MD5 collisions to create an
intermediate certificate authority certificate that appeared to be
legitimate when checked by its MD5 hash.[24] The researchers used a PS3
cluster at the EPFL in Lausanne, Switzerland[38] to change a normal SSL
certificate issued by RapidSSL into a working CA certificate for that
issuer, which could then be used to create other certificates that would
appear to be legitimate and issued by RapidSSL. VeriSign, the issuers of
RapidSSL certificates, said they stopped issuing new certificates using MD5
as their checksum algorithm for RapidSSL once the vulnerability was
announced.[39] Although Verisign declined to revoke existing certificates
signed using MD5, their response was considered adequate by the authors of
the exploit (Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen
Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger).[24] Bruce
Schneier wrote of the attack that "we already knew that MD5 is a broken
hash function" and that "no one should be using MD5 anymore".[40] The SSL
researchers wrote, "Our desired impact is that Certification Authorities
will stop using MD5 in issuing new certificates. We also hope that use of
MD5 in other applications will be reconsidered as well."[24]

In 2012, according to Microsoft, the authors of the Flame malware used an
MD5 collision to forge a Windows code-signing certificate.[33]

MD5 uses the Merkle–Damgård construction, so if two prefixes with the same
hash can be constructed, a common suffix can be added to both to make the
collision more likely to be accepted as valid data by the application using
it. Furthermore, current collision-finding techniques allow to specify an
arbitrary prefix: an attacker can create two colliding files that both
begin with the same content. All the attacker needs to generate two
colliding files is a template file with a 128-byte block of data, aligned
on a 64-byte boundary, that can be changed freely by the collision-finding
algorithm. An example MD5 collision, with the two messages differing in 6
bits, is:

d131dd02c5e6eec4 693d9a0698aff95c 2fcab58712467eab 4004583eb8fb7f89
55ad340609f4b302 83e488832571415a 085125e8f7cdc99f d91dbdf280373c5b
d8823e3156348f5b ae6dacd436c919c6 dd53e2b487da03fd 02396306d248cda0
e99f33420f577ee8 ce54b67080a80d1e c69821bcb6a88393 96f9652b6ff72a70
d131dd02c5e6eec4 693d9a0698aff95c 2fcab50712467eab 4004583eb8fb7f89
55ad340609f4b302 83e4888325f1415a 085125e8f7cdc99f d91dbd7280373c5b
d8823e3156348f5b ae6dacd436c919c6 dd53e23487da03fd 02396306d248cda0
e99f33420f577ee8 ce54b67080280d1e c69821bcb6a88393 96f965ab6ff72a70
Both produce the MD5 hash 79054025255fb1a26e4bc422aef54eb4.[41] The
difference between the two samples is that the leading bit in each nibble
has been flipped. For example, the 20th byte (offset 0x13) in the top
sample, 0x87, is 10000111 in binary. The leading bit in the byte (also the
leading bit in the first nibble) is flipped to make 00000111, which is
0x07, as shown in the lower sample.

Later it was also found to be possible to construct collisions between two
files with separately chosen prefixes. This technique was used in the
creation of the rogue CA certificate in 2008. A new variant of parallelized
collision searching using MPI was proposed by Anton Kuznetsov in 2014,
which allowed finding a collision in 11 hours on a computing cluster.[42]

Preimage vulnerability
In April 2009, an attack against MD5 was published that breaks MD5's
preimage resistance. This attack is only theoretical, with a computational
complexity of 2123.4 for full preimage.[43][44]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 8644 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211210/100db3bd/attachment.txt>


More information about the cypherpunks mailing list