On Mon, 06 Jan 2003, Wall, Kevin wrote: > On Sunday, January 05, 2003, Jamie Lawrence apparently wrote... > > <...deleted...> > > > In practical terms, even if someone were to find a set of data that > > matched a given CRC, the result would almost certainly be gibberish > > that would look nothing like a drive image. While cryptographically > > valid, I don't think anyone would believe it was the actual original > > data. > > However, assuming that the CRC applied to the entire drive image, > including slack space, etc., explaining away that "gibberish" would be > trivial. If it were me, I'd just tweak one or more given slack > areas or blocks on the free list to make the CRC come out right. > One could easily claim that the resulting gibberish was the result > of a previously deleted or overwritten encrypted file, which ought > to look random anyway. Sorry - I was writing sloppily. I meant 'MD5' where I said 'CRC' in the above paragraph. Modifiying a drive image in a way that both matches a specific MD5 checksum is a hard problem, even given evolving weaknesses in the algorithm. Doing so in such a way that still yeilds something that looks like a drive image, I believe, is a much harder feat, even if you have a couple of other potential target 'appearances', such as looking like a CFS image or something of that sort. Cheers, -j -- Jamie Lawrence jalat_private "God created the integers, all else is the work of man." - Kronecker ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:27:43 PST