Posted Jun 16, 2005 5:47 UTC (Thu) by iabervon
Parent article: MD5 collisions
Note, however, that the Lucks and Daum paper is really a social engineering and judgement error; it involves getting the victem to sign a malicious document based on accepting an innocent-looking rendering. Then the attacker can replace one block of non-rendered garbage with a different block of non-rendered garbage, in a way that the weak collision attack on MD5 allows, and thereby tell the scripting engine to render entirely different text.
Of course, the document the victem is given actually contains the malicious text, which may be a sufficient attack even without the block swap; the attacker could just get a document with malicious comments signed, and then claim that the signer had signed off on the stuff in the comments. Or, as someone pointed out on slashdot, the document could display differently depending on the size of the output device or any number of other factors. These days, PDFs can even make HTTP requests after the signature check, and render the result.
Essentially, the class of documents that the Lucks and Daum attack works on is really a class which shouldn't be signed without a detailed analysis, even if this attack were not available.
to post comments)