What RT is referring to is the fact the found collisions are basically random, with no structure controllable by the attacker. However, it has already been demonstrated how many document formats and message protocols allow this random "junk" to be hidden. The two documents look totally different need not show any apparent signs of tampering unless their internal code is disassembled, yet they hash to the same value.

The formats for which this (actually demonstrated) technique can be used so far consist only of ones which effectively have internal processing capabilities, such as PDF, Postscript, MS Word, HTML with Javascript, etc etc. Gosh that already covers quite a lot including many emails.

However it could be a mistake to assume that even "pure data" formats are safe. If the attack can be extended to one where the initial differential is chosen at the start of the calculation instead of fixed at zero -- a modification which seems quite possible at our current state of understanding -- then the collision can be forced in a document postfix instead of prefix. In that case, the junk bytes could be just 7 pixels at the end of a bitmap, very unlikely to be noticed even in a format as transparent as a bitmap.

Who knows, other tricks may also be possible. Basically, once people can screw around like this, you can no longer simply trust the algorithm; every application requires an expert analysis to see if it is safe, and that analysis needs to be reviewed every time the attacks are improved.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11292/32365#32365