Pages:
Author

Topic: A basic question - page 3. (Read 5598 times)

legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
April 22, 2015, 02:41:05 PM
#71
I don't think anyone knows what the weakness is but that was 1995 and there's been other collision attacks published since with SHA 1.  

what is your point?

2004, but my point has to do with the culture of both cryptography and intelligence.

The "weakness" was that the NSA had not broken it yet".

Most cryptographers are academics. They play the common academic game of justifying their actions. My guess is that a lot of academic cryptographers feel that 'state of the art' should be half a step, not a full step, ahead of 'old'. In other words they have the Marie Antoinetteish posture that "we are doing something good, promoting some higher value others don't see, and so we have certain responsibilities and privileges to enforce". i.e. "We will use cryptography to develop math across borders" etc. i. e. "rather than to do the honest work of providing secure cryptography that can be protected from attacks by anyone, including us".

Specifically I am referring to Snowden type leaks that show deliberate weaknesses built into U.S. cryptography, as well as research showing such deliberate shoddiness, such as the cryptobang article mentioned earlier. If you are not able to find the article, or a copy, I will provide links.

Coin security may be fun and games for some people but I stand to lose quite a high percentage of the little I have if it turns out that governments are going to enforce their academic values on the altcoin economy.

You're basically saying cryptographers aren't terrible concerned about security.  Doesn't that sound a little silly?

Also, putting backdoors into hash functions isn't like putting backdoors into operating systems or something like that.
I'm not an expert but I don't think its very doable as MD construction has been around a while.
Of more concern to Bitcoin would be how the ECC is implemented.
newbie
Activity: 14
Merit: 0
April 22, 2015, 02:04:02 PM
#70
I don't think anyone knows what the weakness is but that was 1995 and there's been other collision attacks published since with SHA 1.  

what is your point?

2004, but my point has to do with the culture of both cryptography and intelligence.

The "weakness" was that the NSA had not broken it yet".

Most cryptographers are academics. They play the common academic game of justifying their actions. My guess is that a lot of academic cryptographers feel that 'state of the art' should be half a step, not a full step, ahead of 'old'. In other words they have the Marie Antoinetteish posture that "we are doing something good, promoting some higher value others don't see, and so we have certain responsibilities and privileges to enforce". i.e. "We will use cryptography to develop math across borders" etc. i. e. "rather than to do the honest work of providing secure cryptography that can be protected from attacks by anyone, including us".

Specifically I am referring to Snowden type leaks that show deliberate weaknesses built into U.S. cryptography, as well as research showing such deliberate shoddiness, such as the cryptobang article mentioned earlier. If you are not able to find the article, or a copy, I will provide links.

Coin security may be fun and games for some people but I stand to lose quite a high percentage of the little I have if it turns out that governments are going to enforce their academic values on the altcoin economy.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
April 22, 2015, 01:10:44 PM
#69
I don't think anyone knows what the weakness is but that was 1995 and there's been other collision attacks published since with SHA 1. 

what is your point?
newbie
Activity: 14
Merit: 0
April 22, 2015, 01:00:46 PM
#68
Quote
It seems from the descriptions of the various md5 cracks that md5 lacks collision resistance, therefore you could find a second, or fabricated, input which would hash to a legitimate looking output

This is not what collision resistance implies. It would be true if it lacked pre-image resistance. Collision resistance means that you can find two messages that hash to the same value but you don't get to choose the hash value.

In the case of the MD5 certificate attack, they made two certificates that have the same hash: one is regular (SSL), the other is supreme (CA: Certificate Authority). They asked the root CA to sign the SSL one without problem. And then they put the signature in the CA certificate. Because they have the same MD5, the signature is valid for both of them.
They made a CA that appears to be trusted by the root CA. Their CA can issue SSL certificates that will be accepted by the rules of trust delegation.

So you see that this isn't applicable to bitcoin.


Okay. But here is from a 2004 article. 2004
https://www.schneier.com/essays/archives/2004/08/cryptanalysis_of_md5.html

"This year, Eli Biham and Rafi Chen, and separately Antoine Joux, announced some pretty impressive cryptographic results against MD5 and SHA. Collisions have been demonstrated in SHA. And there are rumors, unconfirmed at this writing, of results against SHA-1."

"In 1990, Ron Rivest invented the hash function MD4. In 1992, he improved on MD4 and developed another hash function: MD5. In 1993, the National Security Agency published a hash function very similar to MD5, called the Secure Hash Algorithm (SHA). Then in 1995, citing a newly discovered weakness that it refused to elaborate on, the NSA made a change to SHA. The new algorithm was called SHA-1. Today, the most popular hash function is SHA-1, with MD5 still being used in older applications."

Bold added by me.

At this point anyone who does not know what the weakness was is not paying attention.
sr. member
Activity: 467
Merit: 267
April 22, 2015, 01:37:18 AM
#67
Quote
It seems from the descriptions of the various md5 cracks that md5 lacks collision resistance, therefore you could find a second, or fabricated, input which would hash to a legitimate looking output

This is not what collision resistance implies. It would be true if it lacked pre-image resistance. Collision resistance means that you can find two messages that hash to the same value but you don't get to choose the hash value.

In the case of the MD5 certificate attack, they made two certificates that have the same hash: one is regular (SSL), the other is supreme (CA: Certificate Authority). They asked the root CA to sign the SSL one without problem. And then they put the signature in the CA certificate. Because they have the same MD5, the signature is valid for both of them.
They made a CA that appears to be trusted by the root CA. Their CA can issue SSL certificates that will be accepted by the rules of trust delegation.

So you see that this isn't applicable to bitcoin.
newbie
Activity: 14
Merit: 0
April 21, 2015, 09:57:46 PM
#66

Is it accurate that various government agencies were aware of flaws in md5 and yet continued to promote it as secure?

I don't know.  Do you have a reference for that?

Even if they were, it was private organizations that exposed the weaknesses so wouldn't that be a moot point anyway?


The malware that exposed md5 as weak was found by Iranians. It was evidently political malware that was created by several 'anti Iranian' governments.

Wikipedia has a timeline but if you look at actual forum posts on various sites it is clear that Wikipedia is presenting a distorted picture. Forum posts suggest md5 was actually considered quite secure until the Iranian issue.

The fact that private organizations uncovered it makes sense if governments were trying to keep the weakness secret.

Evidently a wide mix of governments were aware of flaws in md5 and used that knowledge for political games.

When Iranian researchers found the malware they gave it to Kaspersky to analyze and look for historical evidence and patterns. Kaspersky seems to have been a bit disingenuous, perhaps the Russian government was benefiting from the crack as well. At any rate, any Iranian can look at the evidence and decide how helpful the Russians actually were.

The bigger question is whether these putrid alphabet soup agencies engaged in a massive deception for years with md5, but then decided 'well let's start playing square now'?

Can we trust them now?
newbie
Activity: 14
Merit: 0
April 21, 2015, 09:41:05 PM
#65
If MD5 were used for bitcoin it would not be possible to steal coins, or at least not directly.  That would require preimages.

What would be possible would be constructing txOuts that could be spent by any of several different keys.  Which could be interesting, but doesn't lead to any immediate capability of theft.

It could be used in some kind of scam or confidence game though; two different keys capable of spending the same BTC25 could coexist in a wallet and most software would think the wallet had BTC50 in it, for example because neither key would appear to be a multisig or shared key. 



Among the several different md5 cracks is at least one that was used to forge a Microsoft certificate.

But you are saying that if md5 were used for bitcoin, it would be secure?

From Wikipedia
"In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage.

In the context of attack, there are two types of preimage resistance:

    preimage resistance: for essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output, i.e., it is difficult to find any preimage x given a "y" such that h(x) = y. [1]
    second-preimage resistance: it is computationally infeasible to find any second input which has the same output as a specified input, i.e., given x, it is difficult to find a second preimage x' ≠ x such that h(x) = h(x′).[1]

These can be compared with a collision resistance, in which it is computationally infeasible to find any two distinct inputs x, x′ which hash to the same output, i.e., such that h(x) = h(x′).[1]

Collision resistance implies second-preimage resistance,[1] but does not guarantee preimage resistance.[1]"

---

It seems from the descriptions of the various md5 cracks that md5 lacks collision resistance, therefore you could find a second, or fabricated, input which would hash to a legitimate looking output
and
it lacks second preimage resistance which seems to equate to finding a second private key.

Considering the amount of bullshit that has been shoveled already in defense of md5 and sha2 my opinion remains that most likely they are cracked several ways by several governments and those overpaid slippery cunts are trying to drag the game out as long as they can.

The Bitstamp hack may be their undoing though. If that hack was actually a sha2 crack then you would think they would take pains to leave a fake forensic trail. More info will be coming out on that I imagine.
legendary
Activity: 924
Merit: 1132
April 21, 2015, 06:20:47 PM
#64
If MD5 were used for bitcoin it would not be possible to steal coins, or at least not directly.  That would require preimages.

What would be possible would be constructing txOuts that could be spent by any of several different keys.  Which could be interesting, but doesn't lead to any immediate capability of theft.

It could be used in some kind of scam or confidence game though; two different keys capable of spending the same BTC25 could coexist in a wallet and most software would think the wallet had BTC50 in it, for example because neither key would appear to be a multisig or shared key. 

newbie
Activity: 14
Merit: 0
April 21, 2015, 06:04:59 PM
#63
"A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5 collision resistance in 218 time. This attack runs in less than a second on a regular computer."

http://en.m.wikipedia.org/wiki/MD5

There seem to be quite a few different md5 cracks which were found independently.

It appears that the government and Microsoft both encouraged the use of md5 until it was exposed publicly by Iranian computer researchers.

If md5 were used for bitcoin it would be possible for anyone to steal bitcoin.

If sha2 is compromised as md5 was, and if the government is covering that up in order to exploit it, as they did with md5, what are the implications?

It is safe to say other governments also have cryptography programs.
hero member
Activity: 658
Merit: 500
April 21, 2015, 10:25:31 AM
#62
For what it's worth, the MD5 break is of a very particular kind.

MD5 has a collision vulnerability, but it does not have a meaningful preimage vulnerability.

What that means is that it is now easy to construct two  or more documents that have the same MD5 hash (a collision), but given a hash value it is still damned hard to construct something which hashes to that value (a preimage).  

It's preimage resistance isn't quite perfect mind you; an attack has been found that takes 2123.5 operations to find a preimage, when it ought to take 2128 if its preimage resistance were as good as it was supposed to be.  So MD5, while completely broken in terms of collision reistance, is only about 1/24 as hard to find a preimage as it ought to be. In practice finding a preimage is still far beyond the amount of computing power that could be produced by a computer the mass of Earth in a time less than the expected lifetime of the sun.  

Of course, attacks never get worse ... and it's possible that the preimage attack can be extended somehow.  

Interesting. I was under the impression that MD5 was vulnerable against preimage attacks.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
April 21, 2015, 09:09:34 AM
#61
Phew... people should keep in mind that there effectively is an infinite amount of private keys, so every public key (and thus also address) has an infinite number of private keys that can access that address! Scary, isn't it? If you look at the math, it isn't anymore!

well there's 2^256 private keys and 2^160 addresses so yeah there's many private keys for each address,
but that's not really what's being discussed.

Cryddit's post is enlightening, in revealing that even MD5 is subject to collisions but
not pre-image attacks.

I'm not sure exactly why collisions are that important if they would happen rarely,
or how you would use that to attack a target.
hero member
Activity: 518
Merit: 500
Trust me!
April 21, 2015, 06:20:18 AM
#60
Phew... people should keep in mind that there effectively is an infinite amount of private keys, so every public key (and thus also address) has an infinite number of private keys that can access that address! Scary, isn't it? If you look at the math, it isn't anymore!
legendary
Activity: 924
Merit: 1132
April 21, 2015, 01:19:16 AM
#59
For what it's worth, the MD5 break is of a very particular kind.

MD5 has a collision vulnerability, but it does not have a meaningful preimage vulnerability.

What that means is that it is now easy to construct two  or more documents that have the same MD5 hash (a collision), but given a hash value it is still damned hard to construct something which hashes to that value (a preimage). 

It's preimage resistance isn't quite perfect mind you; an attack has been found that takes 2123.5 operations to find a preimage, when it ought to take 2128 if its preimage resistance were as good as it was supposed to be.  So MD5, while completely broken in terms of collision reistance, is only about 1/24 as hard to find a preimage as it ought to be. In practice finding a preimage is still far beyond the amount of computing power that could be produced by a computer the mass of Earth in a time less than the expected lifetime of the sun. 

Of course, attacks never get worse ... and it's possible that the preimage attack can be extended somehow. 
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
April 20, 2015, 11:35:14 PM
#58

Okay then. What is it about sha2 that makes it unbreakable when compared to md5?
 

That's actually an excellent question and I don't know,
because both do use the Merkle-Damgard construction.
 
Best left to ask a cryptographer.
 
I think there's certainly room to be a skeptic here, given the similarities, but
the fact remains that no one has publicly produced any evidence of significant
weakness so far in SHA-2.






Is it accurate that various government agencies were aware of flaws in md5 and yet continued to promote it as secure?

I don't know.  Do you have a reference for that?

Even if they were, it was private organizations that exposed the weaknesses so wouldn't that be a moot point anyway?
newbie
Activity: 14
Merit: 0
April 20, 2015, 08:34:13 PM
#57

Okay then. What is it about sha2 that makes it unbreakable when compared to md5?
 

That's actually an excellent question and I don't know,
because both do use the Merkle-Damgard construction.
 
Best left to ask a cryptographer.
 
I think there's certainly room to be a skeptic here, given the similarities, but
the fact remains that no one has publicly produced any evidence of significant
weakness so far in SHA-2.






Is it accurate that various government agencies were aware of flaws in md5 and yet continued to promote it as secure?
legendary
Activity: 924
Merit: 1132
April 20, 2015, 05:14:26 PM
#56

If you took the first 1 million bitcoin addresses, generated from the lowest 1 million private keys, and you were able to find any difference whatsoever with the last million addresses, generated from the highest 1 million private keys, it would be the end of bitcoin using the current key/address system. Is there any such difference? There certainly is.

They are different in that no single address appears in both sets, but there is no discernible difference in the statistical distribution of any bit or any pattern of bits.  There is literally no way, given an address, to guess which of these set it's in.  Except, you know, by iterating through all the possible private keys and seeing if it matches. 
legendary
Activity: 924
Merit: 1132
April 20, 2015, 05:04:15 PM
#55

However finding only the relative position of an address, being able to say one address comes before or after another, would be much easier and would get the private key of any address within a few hundred steps by telling you whether you need to generate a higher or a lower private key.

No.  It isn't.  There is no way that is "much easier:"  In fact it's every bit as hard as reversing the hash operation in the first place.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
April 20, 2015, 03:51:27 PM
#54

Okay then. What is it about sha2 that makes it unbreakable when compared to md5?
 

That's actually an excellent question and I don't know,
because both do use the Merkle-Damgard construction.
 
Best left to ask a cryptographer.
 
I think there's certainly room to be a skeptic here, given the similarities, but
the fact remains that no one has publicly produced any evidence of significant
weakness so far in SHA-2.




newbie
Activity: 14
Merit: 0
April 20, 2015, 12:52:58 PM
#53
Sorry, I don't have my no ice please password so I created a new I'd.

This is what I have understood so far:
1) MD5 was considered utterly secure until it was cracked. The crack involved a flaw inherent to using hashes in asymmetric cryptography and should obviously thus preclude their use for things such as bit coin.
2) The hash cracking process involved two basic steps. Initially a meta flaw in hashing security, then a specific application adapted to a specific algorithm such as md5.
3) There have been not one but several completely distinct meta vulnerabilities found in using hashes for cryptographic purposes. In other words several different ways have been mentioned publicly to crack them. Some are slow others are very fast.
4) Using a longer key length does not realistically increase the cryptographic strength of hashes even with very long keys.

So I with my small years old computer and meager interest in the subject will not break sha2, but someone has. There are literally dozens or more of people working full time to crack it, using powerful computers, it is safe to say they can do to sha2 what relatively poorly equipped researchers did years ago with md5.

So my question now is which coin has a more reliable algorithm, preferably without the seal of approval from any govt?

MD5 was pumped a few years ago exactly as sha2 is being pumped now. There are a lot of ways the security of sha2 could be demonstrated satisfactorily, but instead of doing that its defenders use dishonest rhetorical techniques to defend it. Go over this thread and you will see numerous examples. A person holding aces doesn't need to bluff.
No, you are simply at the wrong place. Why don't you ask on a cryptography forum instead?

A good idea.

Thank you.
sr. member
Activity: 467
Merit: 267
April 20, 2015, 12:26:45 PM
#52
MD5 was pumped a few years ago exactly as sha2 is being pumped now. There are a lot of ways the security of sha2 could be demonstrated satisfactorily, but instead of doing that its defenders use dishonest rhetorical techniques to defend it. Go over this thread and you will see numerous examples. A person holding aces doesn't need to bluff.
No, you are simply at the wrong place. Why don't you ask on a cryptography forum instead?
Pages:
Jump to: