On Sun, Jun 12, 2005 at 10:25:55AM +0200, Petr Baudis wrote:
> ----- Forwarded message from zooko@zooko.com -----
> 
> There is nothing theoretically surprising about this, but hopefully its
> concreteness and the accompanying scenario will make an impression on people
> on people.  The same technique should work to generate two documents with
> identical SHA1 hashes.
> 
> http://www.cits.rub.de/MD5Collisions/
> 
> ----- End forwarded message -----
> 
> I expected the two postscript files differing in some huge binary blob,
> but it turns out the binary part is very small (about 256 bytes) and
> only few (about nine) bytes are different, contrary to how people have
> predicted the collisions. This is much more close to finding a collision
> between similar pure C files, I think. Rather unsettling.
> 

This attack scenario doesn't demonstrate the danger of hash
collisions but the danger of signing documents you do not
understand. The same technique works exactly in the same way
with postscript files which are actually identical but produce
different output under different conditions (time, fonts
installed on the printer whatever).

Never sign anything but plain text or documents which are
created in a controlled way and avoid signing documents
you did not create yourself.


Martin

-- 
One night, when little Giana from Milano was fast asleep,
she had a strange dream.