lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Apr  8 17:50:30 2005
From: security at brvenik.com (Jason)
Subject: Re: Case ID 51560370 - Notice of
	ClaimedInfringement



Valdis.Kletnieks@...edu wrote:
> On Fri, 08 Apr 2005 12:07:08 EDT, bkfsec said:
> 
> 
>>Craft a file with the same hash, time+date stamp and size, and be sure 
>>to include a program and license disclosure for a program that you 
>>wrote. 
> 
> 
> Unfortunately, nobody has a good algorithm for creating a file that has the
> same MD5 hash as a given existing file.  So while I *can* create two files
> "foo1" and "foo2" that happen to have the same hash (the actual value of which
> I have no control over), I can't (yet) create a file that has the same MD5 hash
> as the trailer for the next Star Wars movie...
> 


I think that entirely depends on the format the file is distributed in. 
You could take a zipfile and pad it in non critical areas to change the 
MD5 without creating a substantial difference in the deliverable 
content. You could do the same with gzip or bzip formatted files. You 
could also pad any embedded jpeg images to engineer a collision. There 
are quite a few opportunities where this method could be used to twiddle 
the new MD5 without materially changing the content.

Here is the case I am thinking about.

Software that is ~150M in size, it gets redistributed as a new file that 
is 160M is size but has a collision with your software which is also 
160M in size. I imagine there would be some computational time involved 
to find the appropriate collision but a lot less computational time than 
finding a perfect match to the original.

Now everyone must download both files to know for sure that there is a 
violation, in performing this download they are violating the law 
themselves. I doubt you would be awarded any royalties as a result of 
this but it would take all of the meat out of further prosecution 
efforts since they would have to be able to prove they did not violate 
the law and in fact downloaded only the correct version.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ