#16
|
|||
|
|||
So I want to study the exe files on the final url,
do you have ever backup them? Thank you. Quote:
|
#17
|
|||
|
|||
Quote:
http://www.coresecurity.com/system/f...16-cksum32.zip Hope it helps someone! |
#18
|
|||
|
|||
For another example and a detailed walk-through which you could try, see the following link:
http://www.win.tue.nl/hashclash/SoftIntCodeSign/ Authors Marc Stevens, CWI, Amsterdam, The Netherlands Arjen K. Lenstra, EPFL, Lausanne, Switzerland, and Bell Labs, Murray Hill, USA Benne de Weger, TU/e, Eindhoven, The Netherlands are the pioneers in producing MD5 collisions across a variety of things! and if you want to deep dive into more specifics, then visit http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/ Hope it helps someone! |
The Following 2 Users Say Thank You to foosaa For This Useful Post: | ||
BlackWhite (12-26-2015), quygia128 (12-30-2015) |
#19
|
|||
|
|||
Quote:
Terrific! pow(2,50) calls to md5(), costing 6 months. |
#20
|
|||
|
|||
While this involves computing power not accessible to all of us, I had already read some of this stuff and the article on the practical case of creating a rogue CA, compromising the entire https security.
http://www.win.tue.nl/hashclash/rogue-ca/ They describe the process in detail, which includes interesting stuff not only to learn some of the md5 details but also the https / PKI workings, for those who haven't explored it before. Using 200 PS3 machines, they could generate during one weekend 3 or 4 collisions, and after some tries reportedly succeeded in creating a certificate that any browser would accept as a legitimate CA A fun read indeed. |
The Following User Says Thank You to Mkz For This Useful Post: | ||
tonyweb (01-10-2016) |
#21
|
||||
|
||||
Indeed for what concerns the rougue-CAs the best way is always to break what's existing and catch low hanging fruits. I mean, there are so many house-made CAs in enterprises (e.g., handling enterprise stores, VPNs, and so on) that are vulnerable, not enough protected or even not updated that it is enough for years ahead. Not speaking of certificates that can be stolen from the enterprise BYOD terminals..
These studies are extremely interesting, but are accademic exercises, meant to force CA producers/sw vendor to change default hash algos or crypto suites. The problems above instead, will stay, whatever hash algo you use :-)
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Difficult debugging situation | Git | General Discussion | 4 | 10-21-2005 20:13 |
cracking jcreator, is it difficult? | doby | General Discussion | 6 | 09-27-2004 16:15 |