LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Two files with the same MD5 digest

Two files with the same MD5 digest

Posted Mar 3, 2007 14:23 UTC (Sat) by kevinbsmith (guest, #4778)
In reply to: Two files with the same MD5 digest by giraffedata
Parent article: Hunting for Rootkits

No, you signed the full $200 contract. Signing a digest is the same as signing the document. If the vendor delivers the contract to Accounts Payable, with your signature, they could deliver either the $200 contract (signed by you) or the $4000 contract (also signed by you). To foil (or at least detect) the attack, YOU would have to deliver the contract (the $200 one that you think you signed) to Accounts Payable yourself.

But this is just an example story, so don't get caught up in the unimportant details. The attack is possible any time you MD5 sign a document that was created by someone else.

The trivial defense is to make slight changes to the document before signing it. Even adding a few spaces. I suppose the other defense, at least to help you later in court, is to be sure to keep an archive copy of everything you sign.

At least that's my understanding. I'm not a crypto expert.

(Log in to post comments)

Two files with the same MD5 digest

Posted Mar 3, 2007 19:10 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

Signing a digest is the same as signing the document.

In what way? As we've shown here, fraud is possible when you sign the digest and not when you sign the full document. That's a big difference.

If I sign the full document, that means I encrypt the actual PDF with my private key and send the result to the salesman. He forwards it to Accounts Payable, which looks up my public key and decrypts it. The result is a PDF in which AP must see the same price I saw when I signed it.

People like to sign digests instead because it uses less resources. Sometimes the tradeoff is worthwhile.

To foil (or at least detect) the attack, YOU would have to deliver the contract ... to Accounts Payable yourself.
the other defense, at least to help you later in court, is to be sure to keep an archive copy of everything you sign.

Those defeat much of the purpose of the signature, either allowing me to defraud the vendor or leaving an open question of what the agreed price was. It would be no worse than paper, though, where the salesman can take the signature sheet off the $200 contract and staple it to the $4000 one.

Electronic signatures have the wonderful advantage over paper of non-repudiation. I can't deny that I authorized $4000 if I did.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds