root labs rdist

September 15, 2008

MD5 considered primeval

Filed under: Crypto,Security — Nate Lawson @ 7:00 pm

The SF Chronicle talked to me last week about a forensic tool that uses MD5 to ensure its evidence has not been tampered with after collection.

Cellebrite’s Ofrat said that despite the theoretical possibility of hacks to MD5, the likelihood is low. “You’d have to have the best hacker in the world,” he said. But his firm is studying SHA-256 and will move to that if it becomes an industry standard, he said.

I appreciate his humble acknowledgement that anyone who can run a software tool is now “the best hacker in the world”. But perhaps they should move to more secure hash functions like SHA-256 anyway.  After all, other forensic software has moved to SHA-256 since at least 2003 after the US government (NIST) standardized on it in 2002.  Is that standard enough for Cellebrite?

4 Comments

  1. From the site linked to
    “It is important to note that the hash value shared by the two different files is a result of the collision construction process. We cannot target a given hash value, and produce a (meaningful) input bit string hashing to that given value.”

    It is not unreasonable to use MD5sums for tamper detection unless someone is able to generated targeted hashs.

    Comment by Gavin — September 16, 2008 @ 8:43 am

  2. Yes, no one has published second pre-image attacks on MD5 yet. However, you can’t seriously be defending its continued use in any modern system.

    As for MD5’s use with forensics, all criminals can place the known MD5 colliding “magic string” in their data. Then, if caught, produce a totally innocent set of data that matches the same MD5 sums Cellebrite got. Now there’s reasonable doubt that the evidence could have been tampered with.

    MD5 should be retired quickly, even for uses where second pre-image resistance is all that’s needed. Cellebrite’s competitors got the message back in 2003. Why are they trying to ignore this?

    Comment by Nate Lawson — September 16, 2008 @ 10:12 am

  3. The likelihood too low??

    http://www.coresecurity.com/files/attachments/Richarte_MD5-Harmful-today.pdf

    Two executable files with the same MD5 hash, crc-32, checksum-32 and checksum-16:

    http://www1.corest.com/corelabs/projects/research_topics/Richarte_md5-crc32-cksum16-cksum32.zip

    Two executable file with the same MD5 hash:

    http://www1.corest.com/corelabs/projects/research_topics/Richarte_md5-2-collisions.zip

    Eight files with the same MD5 hash:

    http://www1.corest.com/corelabs/projects/research_topics/Richarte_md5-8-collisions.zip

    Turns out that I work with the best hacker in the world!@#$

    Comment by ivan — October 30, 2008 @ 7:24 am

  4. ivan, while I do think you guys are the best hackers in the world, I agree with you that using MD5 is indefensible. Thanks for the nice links.

    Comment by Nate Lawson — November 4, 2008 @ 10:26 am


RSS feed for comments on this post.

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 93 other followers