MD5 Proven Ineffective for App Signatures

MD5 Proven Ineffective for App Signatures 117

Posted by Zonk on Sunday December 02, 2007 @07:31AM from the needs-a-bit-of-retooling dept.

prostoalex writes "Marc Stevens, Arjen K. Lenstra, and Benne de Weger have released their paper 'Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5'. It describes a reproducible attack on MD5 algorithms to fake software signatures. Researchers start off with two simplistic Windows applications — HelloWorld.exe and GoodbyeWorld.exe, and apply a known prefix attack that makes md5() signatures for both of the applications identical. Researchers point out: 'For abusing a chosen-prefix collision on a software integrity protection or a code signing scheme, the attacker should be able to manipulate the files before they are being hashed and/or signed. This may mean that the attacker needs insider access to the party operating the trusted software integrity protection or code signing process.'"

MD5 Proven Ineffective for App Signatures

Search 117 Comments Log In/Create an Account

Comments Filter:

Re:This is a REMOTE attack, and reasonably potent (Score:5, Funny)

by quigonn ( 80360 ) writes: on Sunday December 02, 2007 @09:13AM (#21551241) Homepage

If you'd read the article,

Reading the article? THIS IS SLASHDOT!!!!!!1!

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

MD5 Proven Ineffective for App Signatures 117

MD5 Proven Ineffective for App Signatures More Login

MD5 Proven Ineffective for App Signatures

Re:This is a REMOTE attack, and reasonably potent (Score:5, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot