Comments
BF Skinner • July 19, 2010 7:30 AM
My favorite attacker’s method.
“I called them up and asked them what it was.”
The Heralds are getting clever.
stijn • July 19, 2010 7:51 AM
It’s not really a code, is it? The Wired article mentions ‘decoding’, but the plaintext was guessed, not decoded.
Dofang • July 19, 2010 8:05 AM
As a great cryptographer once said, “A crummy commercial?” Remember to drink your Ovaltine!
The Verizon Business data breach report cover was better: http://www.veracode.com/blog/2009/04/decoding-the-dbir-2009-cover/
dreamfish • July 19, 2010 8:29 AM
To be frank, it wasn’t ‘cracked’. The nature of the string lent itself to be recognised as a hash. What they guy did was determine what type of hash algorithm (not difficult as there aren’t that many in regular use), make an educated guess as to what the plain text was and recreate and compare strings.
BF Skinner • July 19, 2010 8:47 AM
Forgot to add…let the quibbling and hair splitting begin!
too late now.
Guessing plaintext is a valid attack isn’t it? Isn’t it the principal behind dictionary and brute force attacks.
anon • July 19, 2010 9:00 AM
Late post, lame code, and being a hash it cannot be called “cracked”
Wes P • July 19, 2010 9:05 AM
Yea, this was on /. a while back. I was excited, then I found out it was ONLY and md5 hash. Then I was severely disappointed. The only redeeming quality here could would be if this hash of their mission statement is shared with some other bizarre encrypted message that no one will ever find out… but this is the government we’re talking about. Fat chance at that one.
Christopher • July 19, 2010 9:06 AM
Why are they still using MD5? I’m sure a collision free hash is good enough for their logo, but shouldn’t a newly formed military infosec group prefer a strongly collision free one?
vedaal • July 19, 2010 9:11 AM
Well, since it IS MD5, maybe it might be interesting to give it to the ‘cloud’ to generate ‘alternative ‘ mission statements’ until a collision is found …
A Non • July 19, 2010 11:05 AM
Why is it that the US government has better steg than I can get?
aikimark • July 19, 2010 11:15 AM
The real challenge now begins to find a (collision) text message producing the same MD5 value.
rog • July 19, 2010 11:42 AM
i was just thinking that! preferably a suitably scurrilous/witty message.
shouldn’t a newly formed military infosec group prefer a strongly collision free one?
of course they prefer such a thing. we’re just not allowed to know what it is!
Bob • July 19, 2010 3:09 PM
Yeah, a little behind the times..
It was pretty clearly an MD5 and then easy enough to guess (and not decrypt).
HOWEVER, I do think it’s a great way for them to get people to read (or at least skim) their mission statement.
Davi Ottenheimer • July 19, 2010 6:08 PM
de58aa2162ced34566ff514a8e1c57bc
Chris • July 19, 2010 7:30 PM
The Wired article mentions ‘decoding’, but the plaintext was guessed, not decoded.
i am sure USCYBERCOM will happily sign up anyone who can consistently produce verifiable plaintexts — even if it’s by guessing rather than cryptanalysis.
Sasha van den Heetkamp • July 19, 2010 11:01 PM
SHA didn’t fit the logo, so they resorted to MD5. Typically the trade-of I would expect.
Jarda • July 20, 2010 1:53 AM
Save the logo. In future it will allow you to check, if the mission statement didn’t change
Henning Makholm • July 20, 2010 5:56 AM
There are no (first or second) preimage attacks against MD5 yet, are there?
Corned Beef • July 20, 2010 7:56 AM
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. P.S. Mattel Aquarius rules OK.
Hmm. Can’t work out why my MD5 is different.
vedaal • July 20, 2010 3:04 PM
@ Henning, Akimark and Rog :
Here’s a possible way to find a collision:
[1] Compose your own message M, less than 391 characters.
[2] Generate random suffix characters and append to M until a 391 character length.
[3] Check if the ‘logo’ hash verifies.
[4] Repeat steps 2 and 3 until it does.
Example:
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; to use the latest vetted strong cryptographic hashes. Our special encoded message follows: fghmtghkp5gygtpgtjk\rgkdslm\HSJY8Sghahrjyjkuknn689w6793okgi838939k49499k889898989898kk89989k788o9o999kyoyo76fytytiiiu8888
Write a script in Perl or Python to randomly generate the suffix part until the given hash verifies.
Bruce, Do you want to offer an autographed book as a prize? 😉
anton • August 9, 2010 6:34 AM
So for lazy people like me, please can someone quote the Cybercom’s 58-word mission statement!
Presumably the motivation for putting the mission statement hash into the logo was to draw attention to it.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
David • July 19, 2010 7:07 AM
Is this a record for the longest Bruce has been “behind the times?”
This has been reported everywhere for ages…
Even I had it 10 days ago! http://www.itwire.com/business-it-news/security/40302-us-cyber-commands-code-has-been-cracked