Re: hash functions Re: OVC - I "really" need yourhelpwith "public disclosure" legislative suggestion

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Tue Nov 28 2006 - 00:38:04 CST

the way to keep mischief out of the bootloader is to make it physcially small. Disable it's address space. then install a boot loader that has just enough brains to load a better bootloader like off of the CD-rom. A checksum would hardly be needed at this point. but if you did have one there might not be enough free maliable spoof it. As I said spoofing a checksum like MD5 requires the cooperation of the victim to leave enough free space to fake the check sum.

-----Original Message-----
>From: Ed Kennedy <ekennedyx@yahoo.com>
>Sent: Nov 27, 2006 11:06 PM
>To: joehall@pobox.com, 'Open Voting Consortium discussion list' <ovc-discuss@listman.sonic.net>
>Subject: Re: [OVC-discuss] hash functions Re: OVC - I "really" need yourhelp with "public disclosure" legislative suggestion
>
>Thank you folks for your erudite discussion on the weaknesses of Hash
>functions. If I read you correctly, this works best for a 'message in a
>bottle' approach and unfortunately does not really deal with hardware hacks
>such as concealing mischief oriented code in the 'boot loader,' and such. I
>was afraid of that. Still, I guess it could be part of a suite of tools and
>techniques that might be applied. I'll leave it to you experts to figure
>out how. Thanks for your feedback.
>
> --
>
>Edmund R. Kennedy, PE
>10777 Bendigo Cove
>San Diego, CA 92126
>
>
>
>-----Original Message-----
>From: ovc-discuss-bounces+ekennedyx=yahoo.com@listman.sonic.net
>[mailto:ovc-discuss-bounces+ekennedyx=yahoo.com@listman.sonic.net] On Behalf
>Of Joseph Lorenzo Hall
>Sent: Monday, November 27, 2006 5:37 PM
>To: Open Voting Consortium discussion list
>Subject: Re: [OVC-discuss] hash functions Re: OVC - I "really" need yourhelp
>with "public disclosure" legislative suggestion
>
>On 11/27/06, Charlie Strauss <cems@earthlink.net> wrote:
>> Heres' a couple articles. The important feature is that attack
>> requires cooperation from the victim in the sense that there needs to
>> be a large mutable region the attacker can modify without changing
>> the length of the document. So if don't cooperate and are not
>> stupid, you can avoid this attack.
>>
>>
>>
>> http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>> http://www.cits.rub.de/MD5Collisions/
>>
>> http://www.heise-security.co.uk/news/77244
>
>So, MD5 and SHA hash functions (that aren't keyed like in HMAC) can
>have designed collisions (or will soon).
>
>What other non-keyed hash functions out there will people move to now
>that these popular ones have proven cryptanalytical weaknesses? And
>does a suite of hashes... like MD5/SHA-256/Tiger/WHIRLPOOL prove to be
>infeasible to collide (is there literature on suites of hashes)? -Joe
>
>--
>Joseph Lorenzo Hall
>PhD Student, UC Berkeley, School of Information
><http://josephhall.org/>
>_______________________________________________
>OVC-discuss mailing list
>OVC-discuss@listman.sonic.net
>http://lists.sonic.net/mailman/listinfo/ovc-discuss
>
>
>_______________________________________________
>OVC-discuss mailing list
>OVC-discuss@listman.sonic.net
>http://lists.sonic.net/mailman/listinfo/ovc-discuss

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Thu Nov 30 23:17:14 2006

This archive was generated by hypermail 2.1.8 : Thu Nov 30 2006 - 23:17:19 CST