MD5 and SHA cracked/broken...
David Bolen
db3l at fitlinxx.com
Thu Sep 16 11:12:03 EDT 2004
More information about the Python-list mailing list
Thu Sep 16 11:12:03 EDT 2004
- Previous message (by thread): MD5 and SHA cracked/broken...
- Next message (by thread): MD5 and SHA cracked/broken...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul Rubin <http://phr.cx@NOSPAM.invalid> writes: > You don't need preimages to plant a trojan. If you can create mere > collisions, you can create two files, one with a trojan and one > without a trojan, that have the same md5sum. You publish the > non-trojan one, people inspect it carefully and start using it, and > download sites say that its md5sum should be so-and-so. Now you can > replace the non-trojan file with the trojan version and the md5sum > will still verify. But why bother? Clearly in this case I'm in control of the md5sum's publication (since I'm formulating both files to match), so why wouldn't I just publish the trojan one in the first place with an MD5 that matches the trojan? Any user of my package is already trusting that any MD5 I publish is in fact for a proper file, so they are in effect already trusting me. I'd be more concerned that another party (other than myself) was able to insert a different file that matched my original MD5 that I had published. It sounds like this exploit doesn't impact that ability at this point. -- David
- Previous message (by thread): MD5 and SHA cracked/broken...
- Next message (by thread): MD5 and SHA cracked/broken...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list