System cracked, notes from similar incident a year ago

[dsr at tao.merseine.nu (dsr at tao.merseine.nu)]

On Tue, May 27, 2003 at 01:31:10AM -0400, Derek Martin wrote:
> > md5sum --check  md5list1.txt | grep -i failed > diff.txt
> > 
> > I've tried tripwire but found the above much easier to do & understand.
> 
> Easier yes, but also far, far less reliable.  It is far from
> impossible to modify a file such that its MD5 checksum remains the
> same; after all, it's just a hash function.  It's not even that hard,
> if you understand how the hash function works.  I understand it is
> even possible, though much harder, to (usefully) modify the file such
> that neither the checksum nor the file size is modified...

Well... because there is no non-brute-force method currently known for
creating a collision in MD5, you would need to calculate about 2^64
hashes in order to have a 50% chance of finding one. The proposal for
Distributed.Net estimates this will take about 2 years.

So, yes, one might think that MD5 is possibly vulnerable, but not to the
sort of attack that a random script-kiddy will be able to carry out.

(More worrying though, would be to mount an attack on a binary that has
come from the source distribution, and thus can be expected to be the
same on many machines. Getting a useful "MD5-twin" of, say, gcc as
distributed by Red Hat, would be nasty.

Of course, the fix would be either to compile it yourself, or to get a
different version of the binary...)

If you don't trust MD5, then SHA-1 has not yet exposed any
vulnerabilities except brute force, and SHA-256, SHA-384, and SHA-512
have been proposed to counter exactly that argument.

-dsr-

-- 
Network engineer / pre-sales engineer available in the Boston area.
http://tao.merseine.nu/~dsr