Practical
Attacks on Digital Signatures Using MD5 Message Digest
Mikle, Ondrej:
Practical Attacks on Digital Signatures Using MD5 Message Digest,
Cryptology ePrint Archive, Report 2004/356, http://eprint.iacr.org/2004/356, 2nd December 2004
Abstract
We use the
knowledge of the
single MD5 collision published by Wang et al. [1] to show an example
of a pair of binary self-extract packages with equal MD5 checksums,
whereas resulting extracted contracts have fundamentally different
meaning. Secondly, we demonstrate how an attacker could create custom
pair of such packages containing files arbitrarily
chosen by the attacker with equal MD5 sums where each of the package
extracts different file. Once the algorithm for finding MD5
collisions is published, attack could be made even more effective as
we explain further. Authors of [1] claim to know such algorithm for
any MD5 initialization vector. A real-world scenario of such attack
is outlined. Finally, we point out the consequences resulting from
such attack for signature schemes based on MD5 message digest on an
example using GPG.
[1] X. Wang, D.
Feng, X. Lai, H. Yu,
"Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD",
rump session, CRYPTO 2004, Cryptology ePrint Archive, Report
2004/199, http://eprint.iacr.org/2004/199
The paper
MD5-POC.pdf discussing the attacks can be found at:
If you came
looking for the archive containing source codes and executables,
download it here:
Updates
- Later, we found out ways to apply this attack to various other
formats used in software distribution (zip, tar.bz2, tar.gz, rpm, ...),
see here
- Just four days after submitting our paper to Cryptology eprint
archive, a paper describing an attack on MD5, very similar in spirit,
appeared at http://www.doxpara.com/md5_someday.pdf
- Dec. 14, 2004. Using ISO images (CD-ROM format), it is possible to create collision just by rewriting first 1024 bits with the colliding block. Such image can be still mounted, burned and read.