Bogus digital signatures, Re: OT: utility account transfer frauds
lists@notatla.demon.co.uk
lists at notatla.demon.co.uk
Sat, 12 Oct 2002 17:30:29 +0100 (BST)
From: Matthew Astley <lists-ukcrypto@fruitcake.demon.co.uk>
> http://www.certainkey.com/dnet/
> http://lists.distributed.net/hypermail/rc5.Sep2002/subject.html#37
> This attack appears to be aimed at breaking MD5 fairly severely. I
> believe this would render all PGP 2.6.x signatures worthless,
The search restricts itself to 128-bit inputs but should work with them.
Typical key signatures use md5 on lengths of 129 or 257 bytes.
(pgp263ii keymgmt.c line 1279)
> The project itself is aimed at finding any old collision, but once you
> get one then many more follow. The fact that you can pre-calculate
> all except the last part of MD5 makes exploiting this easier.
If they're right and they can get from one collision to many of them
that's pretty scary. They didn't explain how they plan to do that.
They also didn't explain how they plan to keep out false contributions.