[Noisebridge-discuss] Anti-piracy / anti-Pirate Bay law currently in Congress [drama]

Moxie Marlinspike moxie at thoughtcrime.org
Tue Sep 28 22:16:42 UTC 2010


On 09/28/2010 05:51 PM, Josh Myer wrote:
> So, if an attacker can get the machine state that represents the input to
> finalize() that yields what they know to be MD5("x"), they can trivially run
> MD5(that_state, "whatever they want") and submit it.  (Why do you need to
> know the length?  It's a part of the finalize step.)

I can't think of a situation where an attacker would ever be given this
intermediate state.  If we're only talking about one block of data, then
this intermediate state doesn't exist in any real way.  If you call
md5_update(<data_less_than_512_bits>), it simply copies that data to an
internal buffer.  Nothing happens until it has a full block.  To be
given the internal state would be tantamount to being given the
plaintext of the original message, since that's all it is at that point.

The magic is that all finalize() does is pad the last block out with
some known padding and a 64bit length before running the compression
function on it.  So you can extend this last block simply by having the
data that you're extending the message with begin with that padding and
length value.  This strictly breaks UF-CMA.

- moxie

-- 
http://www.thoughtcrime.org



More information about the Noisebridge-discuss mailing list