[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FORGED CANCELS of posts on n.a.n-a.m

At 06:11 PM 10/5/95 +1000, you wrote:
>One thing that occurs to me: suppose I go to control, collect cancel messages,
>and build myself a collection of M1's that will work with a given M2?

MD5 produces a very random 128-bit output; you're not going to collect
any appreciable fraction of the 2**128 possible M2s.  As long as M1 is
even as simple as MD5(messageid,passphrase), it's pretty open territory.

Targeted attacks, however, are still possible, as long as M1 retains
the form MD5(known-stuff, passphrase) - assuming the user uses one of the
few hundred million wimpiest passphrases, you can search that moderately fast;
if you're willing to burn some resources, you might be able to take out
most of alt.religion.spam, at least until people use better passphrases.

The amount of work depends somewhat on whether you use
MD5(known-stuff, passphrase) or MD5(passphrase,known-stuff).
For the first case, the cracker would calculate the MD5 context
after doing known-stuff (once) and then grind away on passphrases.
For the second, the cracker could pre-compute a table of MD5 context
for the wimpy password list, and then add known-stuff to each.
Since known-stuff is probably longer than passphrases here,
the latter is probably more secure for this application.
#                                       Thanks;  Bill
# Bill Stewart, Freelance Information Architect, [email protected]
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281