Re: HTTPS trust anchors in sysinst

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> Now suppose, after the string x is determined, I pick a 32-byte
> string r uniformly at random, compute h = MD5(r || x), and send you
> (r, h).  You download the file, again giving some string x', and you
> accept it only if MD5(r || x') ?= h.

> Nobody has shown any way to pass a forgery through this criterion.
> That's what I mean by randomized MD5.

I thought MD5 was not only weak for collision resistance but also weak
for second-preimage resistance.  Is that wrong?

Also, is that under the assumption that the putative forger gets to see
r, or doesn't get to see r?  If the forger gets to compute x' knowing r
and x, I'd be surprised if that is much more difficult than just the
ordinary second-preimage problem.

If the attacker doesn't get to see r (or if computing a suitable x'
given x and r takes too long), yeah, I would expect that to be
significantly more secure than base MD5.  Indeed, I use a very similar
construct in one of my programs, though run-time adaptive attacks are
mostly outside its threat model, so the security properties are rather
different.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B