Re: [PLUG] free courses, systemd Win, hashquines

[brent saner via plug <plug@lists.phillylinux.org>]

(Apologies for top-posting; on mobile.)

Not sure about a full 2nd pre-image attack as I haven't heard anything about it being practical, but chosen-prefix for MD5 had been around since at least 2012 iirc:

https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf

MD5 is well and truly broken. It shouldn't be trusted for anything except transmission integrity checking, and even then there are significantly better alternatives.

On Sat, Sep 24, 2022, 08:23 Philip Rushik via plug <plug@lists.phillylinux.org> wrote:

On Fri, Sep 23, 2022 at 8:27 PM Walt Mankowski via plug <plug@lists.phillylinux.org> wrote:

> This image contains its own MD5 checksum — and it's kind of a big deal
>
> https://www.bleepingcomputer.com/news/security/this-image-contains-its-own-md5-checksum-and-its-kind-of-a-a statement on cyber security as a whole.big-deal/
>
> Hashquines: files containing their own checksums

The folks at PoC||GTFO [1] did this in issue 0x14 back in 2017. Not
only did they put the PDF's MD5 hash on the cover page, the PDF is
also a ZIP file containing the source code for the issue, and it's
ALSO an NES ROM which, when played, prints out its MD5 hash! They
explain how they did it starting on page 56 of that issue.

(Full disclosure: one of the authors was my labmate in grad school.)

1. https://www.alchemistowl.org/pocorgtfo/

 Very interesting. PoC||GTFO accomplished this by breaking the md5 up into 1 digit (hexit? hexadigit?) pieces, and then making a 16-way collision between those images, then they could make any combination of those digits without changing the md5 of the document containing them. It allows you to create a document with its own md5, but only requires collision resistance to be broken, not 2nd-preimage resistance. This is, quite frankly, brilliant, I would never have thought of that in a hundred years. It's an excellent illustration of how known vulnerabilities can be used in surprising ways to break things that you didn't know were broken....

I couldn't tell from the bleeping computer article, they didn't really seem to explain the cryptographic implications of this "hashquine" (they seemed to focus on difficulties of manipulating png data instead, which is not really interesting), but the file he created had an md5 with "1337" as the first 4 hexadigits (that's what I'm going with), and the last 4 hexadigits, so that makes me think he is creating files that have _a specific md5_, which would mean that 2nd-preimage resistance is broken.

If that is indeed the case (and I will research more), then yes, that is a big deal.

Regards,

Philip

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug