Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Hawaiian Bobtail Squid |
| Violating Terms of Service Possibly a Crime »
July 19, 2010
Embedded Code in U.S. Cyber Command Logo
This is excellent.
And it's been cracked already.
Posted on July 19, 2010 at 6:53 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
My favorite attacker's method.
"I called them up and asked them what it was."
The Heralds are getting clever.
Still using MD5...tut tut...
It's not really a code, is it? The Wired article mentions 'decoding', but the plaintext was guessed, not decoded.
As a great cryptographer once said, "A crummy *commercial*?" Remember to drink your Ovaltine!
To be frank, it wasn't 'cracked'. The nature of the string lent itself to be recognised as a hash. What they guy did was determine what type of hash algorithm (not difficult as there aren't that many in regular use), make an educated guess as to what the plain text was and recreate and compare strings.
Forgot to add...let the quibbling and hair splitting begin!
too late now.
Guessing plaintext is a valid attack isn't it? Isn't it the principal behind dictionary and brute force attacks.
Late post, lame code, and being a hash it cannot be called "cracked"
Yea, this was on /. a while back. I was excited, then I found out it was ONLY and md5 hash. Then I was severely disappointed. The only redeeming quality here could would be if this hash of their mission statement is shared with some other bizarre encrypted message that no one will ever find out... but this is the government we're talking about. Fat chance at that one.
Why are they still using MD5? I'm sure a collision free hash is good enough for their logo, but shouldn't a newly formed military infosec group prefer a strongly collision free one?
Well, since it IS MD5, maybe it might be interesting to give it to the 'cloud' to generate 'alternative ' mission statements' until a collision is found ...
Why is it that the US government has better steg than I can get?
The real challenge now begins to find a (collision) text message producing the same MD5 value.
i was just thinking that! preferably a suitably scurrilous/witty message.
> shouldn't a newly formed military infosec group prefer a strongly collision free one?
of course they prefer such a thing. we're just not allowed to know what it is!
Yeah, a little behind the times..
It was pretty clearly an MD5 and then easy enough to guess (and not decrypt).
HOWEVER, I do think it's a great way for them to get people to read (or at least skim) their mission statement.
>The Wired article mentions 'decoding', but the plaintext was guessed, not decoded.
i am sure USCYBERCOM will happily sign up anyone who can consistently produce verifiable plaintexts -- even if it's by guessing rather than cryptanalysis.
SHA didn't fit the logo, so they resorted to MD5. Typically the trade-of I would expect.
Save the logo. In future it will allow you to check, if the mission statement didn't change
There are no (first or second) preimage attacks against MD5 yet, are there?
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. P.S. Mattel Aquarius rules OK.
Hmm. Can't work out why my MD5 is different.
@ Henning, Akimark and Rog :
Here's a possible way to find a collision:
 Compose your own message M, less than 391 characters.
 Generate random suffix characters and append to M until a 391 character length.
 Check if the 'logo' hash verifies.
 Repeat steps 2 and 3 until it does.
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; to use the latest vetted strong cryptographic hashes. Our special encoded message follows: fghmtghkp5gygtpgtjk\rgkdslm\HSJY8Sghahrjyjkuknn689w6793okgi838939k49499k889898989898kk89989k788o9o999kyoyo76fytytiiiu8888
Write a script in Perl or Python to randomly generate the suffix part until the given hash verifies.
Bruce, Do you want to offer an autographed book as a prize? ;-)
Your tax dollars at work.
So for lazy people like me, please can someone quote the Cybercom's 58-word mission statement!
Presumably the motivation for putting the mission statement hash into the logo was to draw attention to it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.