Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

+-   MD5 proven ineffective for app signatures-> on Saturday December 01 2007, @11:22PM prostoalex

Submitted by prostoalex on Saturday December 01 2007, @11:22PM
security
prostoalex writes "Marc Stevens, Arjen K. Lenstra, and Benne de Weger have released their paper 'Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5', which describes a reproducible attack on MD5 algorithm to fake software signatures. Researchers start off with two simplistic Windows applications — HelloWorld.exe and GoodbyeWorld.exe, and apply a known prefix attack that makes md5() signatures for both of the applications identical. Is it the end of signed software? Not quite, researchers point out: "For abusing a chosen-prefix collision on a software integrity protection or a code signing scheme, the attacker should be able to manipulate the files before they are being hashed and/or signed. This may mean that the attacker needs insider access to the party operating the trusted software integrity protection or code signing process. An attacker with such access can most probably do more harm anyway, without the need for chosen-prefix collisions, to get official digital signatures on malware.""
Link to Original Source
submission
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

MD5 proven ineffective for app signatures 0 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
Search
The unfacts, did we have them, are too imprecisely few to warrant our certitude.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.