Sunday, January 11, 2009

A way to facilitate a collision attack

This is a way to do a contest for Code Show. Don't do this in real life.

Submit your first program to one server which verifies that your program is a Perl script consisting entirely of printing constant strings. Calculate the checksum of the program and put the checksum in a database.

Submit your second program to a second server which also contains the key on a local file. The server calculates the checksum of the second program to see if it is on the "safe" database, and if it is, runs the program and reports its output to the user.

Obviously, the way to penetrate the second server is to create two different programs the have the same hash. The first program is "safe" and the second does something like print `cat key`.

Perl's syntactic flexibility gives lots of freedom for the programs to achieve colliding hash digests.

No comments :