Rhys, via MSN to me before 8.00 on Thursday morning (slightly edited):
Rhys: This is such bulls—.
David: “[MD5] … [is] open to viruses.”
David: What. The. F—ing. F—?
Rhys: I give you permission to blog it!
David: You can blog it and I can link to you!
Rhys: Nah, I’m too lazy.
Slashdot, about eight-and-a-half hours later: Aussie Speed Cameras in Doubt Because of MD5. Unsurprisingly, the story has rapidly made its way around the blogosphere, most notably being picked up by Bruce Schneier and Declan McCullagh. It was also noted on full-disclosure.
My view, which seems to be consistent with the more sensible and thoughtful commentary that I’ve read, is that the decision is odd and quite possibly wrong. It’s true that MD5 is theoretically broken. However, I do not understand it to be broken in the way necessary to make the defendant’s arguments in the speed camera case hold up. For his argument to work:
A speed camera photo was taken of a vehicle that was not the defendant’s, and an MD5 checksum was associated with that photo.
Someone wanted that MD5 checksum to instead incriminate the defendant.
That person (or persons) manufactured a plausible-looking speed camera photo incriminating the defendant, such that the MD5 checksum for that image matched the MD5 checksum for the original image.
First, that’s a lot of work for someone who wants to beat a couple of hundred dollars worth of fine, or frame someone else for it. It’s hardly The Fugitive.
Secondly, it’s a pretty stunning attack. The attack goes further than simply constructing two files with identical MD5 checksums (which the literature explains: e.g., Mikle, Lenstra and de Wegner). What is required is to create a image similar, but not identical, to an image with a known MD5 checksum with the same MD5 checksum. If this attack—a second preimage attack—was computationally feasible, it would make MD5 completely useless. (That’s not to say the current MD5 breaks aren’t serious, however: see Dan Kaminsky, in particular “MD5 To Be Considered Harmful Someday”.)
The NEWS.com.au report contains the following nugget:
[Sydney magistrate Lawrence] Lawson had adjourned the case in June, giving the RTA eight weeks to produce an expert to prove pictures from a speed camera on Carlingford Rd, Epping, had not been altered after they were taken.
He said it was a matter of public interest and the RTA should be given time to back up its case.
But RTA lawyers yesterday told Hornsby Local Court they could not find an expert and the case was thrown out, with $3300 in legal costs awarded to the motorist, a man allegedly caught speeding through a school zone on November 18 last year.
The obvious question is why the RTA didn’t produce this evidence. I don’t know why, though perhaps they performed a simplistic cost-benefit analysis to the effect that they could let this one get away. (The “one-off” statement from the RTA spokesman in the report suggests as much.) But any such analysis ignores the effect of any similar future cases. Which seeing that the lawyer successfully got his name into the news, means that others might be going to notguilty.com.au.
One obvious question is how far this will travel. Perhaps fortunately, it seems to be a NSW-only phenomenon. Believe it or not, MD5 is actually prescribed in NSW. Section 47 of the Road Transport (Safety and Traffic Management) Act 1999 (NSW) provides, in part:
(1) In proceedings for an offence of driving at a speed in excess of a speed limit imposed by or under this Act or the regulations, evidence may be given of a measurement of speed obtained by the use of an approved speed measuring device and recorded by an approved camera recording device.
(2) In proceedings in which such evidence is given … (c) evidence that a photograph taken by an approved digital camera recording device bears a security indicator of a kind prescribed by the regulations is evidence (unless evidence to the contrary is adduced) that the photograph has not been altered since it was taken.
And, as foreshadowed, reg 156A(1) of the Road Transport (Safety and Traffic Management) (Road Rules) Regulation 1999 (NSW) provides:
For the purposes of section 47(2)(c) of the Act:
(a) a series of 32 characters produced by an MD5 algorithm, or
(b) a series of 48 characters of which 32 characters have been produced by an MD5 algorithm,
is prescribed as a security indicator.
(Similar provisions apply for toll collection cameras and public transport lane offences.)
Given these provisions, I would have thought that merely showing that MD5 was less than completely secure would be insufficient to avoid a conviction. But without knowing the specific details of the case, it’s impossible to know for sure.
Interestingly, reg 156A(3) indicates that the amendment was made by the Road Transport (Safety and Traffic Management) Road Rules Further Amendment Regulation 2004 (NSW), which seems to have come into effect on 17 December 2004. Prior to that, reg 156A was much simpler:
For the purposes of section 47(2)(c) of the Act, an identifier consisting of a series of 48 characters that is an individual combination of letters, numbers or symbols that has been produced by an MD5 algorithm is prescribed as a security indicator.
Google reveals there’s something of a backstory. In November last year, the same lawyer found another MD5-related loophole.
Byron comments.
