Two files with the same MD5 digest
Posted Mar 3, 2007 14:23 UTC (Sat) by kevinbsmith
In reply to: Two files with the same MD5 digest
Parent article: Hunting for Rootkits
No, you signed the full $200 contract. Signing a digest is the same as signing the document. If the vendor delivers the contract to Accounts Payable, with your signature, they could deliver either the $200 contract (signed by you) or the $4000 contract (also signed by you). To foil (or at least detect) the attack, YOU would have to deliver the contract (the $200 one that you think you signed) to Accounts Payable yourself.
But this is just an example story, so don't get caught up in the unimportant details. The attack is possible any time you MD5 sign a document that was created by someone else.
The trivial defense is to make slight changes to the document before signing it. Even adding a few spaces. I suppose the other defense, at least to help you later in court, is to be sure to keep an archive copy of everything you sign.
At least that's my understanding. I'm not a crypto expert.
to post comments)