LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Two files with the same MD5 digest

Two files with the same MD5 digest

Posted Mar 2, 2007 17:03 UTC (Fri) by giraffedata (subscriber, #1954)
In reply to: Hunting for Rootkits by tialaramex
Parent article: Hunting for Rootkits

So let me get this straight: The salesman created two contracts: one said $200 and the other said $4000 and they both have the same MD5 digest. I signed the MD5 digest. The Accounts Payable people are pretty stupid then, aren't they? With $4000 at stake, they should demand a signed copy of the full contract.

But I'm sure if we think hard enough, we can find a case where signing a whole file is impractical and this twin-file technique would work.

(Log in to post comments)

Two files with the same MD5 digest

Posted Mar 3, 2007 14:23 UTC (Sat) by kevinbsmith (guest, #4778) [Link]

No, you signed the full $200 contract. Signing a digest is the same as signing the document. If the vendor delivers the contract to Accounts Payable, with your signature, they could deliver either the $200 contract (signed by you) or the $4000 contract (also signed by you). To foil (or at least detect) the attack, YOU would have to deliver the contract (the $200 one that you think you signed) to Accounts Payable yourself.

But this is just an example story, so don't get caught up in the unimportant details. The attack is possible any time you MD5 sign a document that was created by someone else.

The trivial defense is to make slight changes to the document before signing it. Even adding a few spaces. I suppose the other defense, at least to help you later in court, is to be sure to keep an archive copy of everything you sign.

At least that's my understanding. I'm not a crypto expert.

Two files with the same MD5 digest

Posted Mar 3, 2007 19:10 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

Signing a digest is the same as signing the document.

In what way? As we've shown here, fraud is possible when you sign the digest and not when you sign the full document. That's a big difference.

If I sign the full document, that means I encrypt the actual PDF with my private key and send the result to the salesman. He forwards it to Accounts Payable, which looks up my public key and decrypts it. The result is a PDF in which AP must see the same price I saw when I signed it.

People like to sign digests instead because it uses less resources. Sometimes the tradeoff is worthwhile.

To foil (or at least detect) the attack, YOU would have to deliver the contract ... to Accounts Payable yourself.
the other defense, at least to help you later in court, is to be sure to keep an archive copy of everything you sign.

Those defeat much of the purpose of the signature, either allowing me to defraud the vendor or leaving an open question of what the agreed price was. It would be no worse than paper, though, where the salesman can take the signature sheet off the $200 contract and staple it to the $4000 one.

Electronic signatures have the wonderful advantage over paper of non-repudiation. I can't deny that I authorized $4000 if I did.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds