Re: [sleuthkit-users] fiwalk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fiwalk
|
From: RB <ao...@gm...> - 2014-11-12 17:56:05
|
On Wed, Nov 12, 2014 at 10:19 AM, Jason Wright <jwr...@gm...> wrote: > Separately from this, but somewhat related, given the chatter regarding MD5 > of late, e.g. > http://arstechnica.com/security/2014/11/crypto-attack-that-hijacked-windows-update-goes-mainstream-in-amazon-cloud/, > is there any concern for relying on MD5 in digital forensics? I'd love to jump right in there. MD5 is passing its use-by date should generally not be used for new projects, but it's not quite the "abandon ship" picture the original author and everyone else seems to want to paint. Hooray for headline-chasing rather than realism. Let's inject a little of the latter. The linked attack takes two dissimilar images of the same size and requires their differences be "of a particular form." Someone closer to cryptography can explain the "particular form" better than I, but what it boils down to is that it is NOT a generalized attack for any file type. The attack then modifies _both_ files progressively, adding semi-random data until their MD5 matches, something of a "birthday attack meets in the middle" approach. This is bad, but any analyst with their head on their shoulders will recognize that: a) to be exploited it would require access to modify the "original" as well as the "new" file and b) the data added is non-meaningful Full stop. Nobody has figured out a way to change "mary had a little lamb" to "drink your ovaltine", this is random data appended to an already lossy format in a highly detectable manner. Those files you have with only md5 checksums from 10 years ago are still mostly safe so long as your attacker doesn't have access to modify them as well. Should you use more than just MD5 to track or identify files? Yes. Size and multiple checksums are a great way to guard against this kind of attack. Should new applications depend solely on MD5? Probably not, there are better alternatives whose additional cost (both programming and computational) are effectively zero. Someone wake me up when (or at least stop the sensationalism until) an attacker can generate an arbitrary, meaningful file with minimal size difference from and the same MD5 as the original without altering the original. Then MD5 is completely dead. |
