[CaliforniaKarl]

I've been wondering, is there a term for a type of attack like this:

Given a message M, length function L(), and MD5 hash function H(); is there an attack which can generate message M', such that H(M)==H(M') _and_ L(M)==L(M')?

In other words: Two different messages, both of the same length, with the same hash?

It's almost like a chosen prefix collision attack, but with no prefix (so P is empty) and a given message (M is known, M' is up to the attacker).

I ask because I frequently use GridFTP for data transfer, and it uses both the file length and the MD5 has to verify that files were transferred correctly.

[abhibeckert]

I don't know anything about GridFTP - but there's a huge difference between verifying if files were "transferred correctly" and verifying that files were transferred without being tampered with by a malicious party.

MD5 is fine for the first task, and totally unacceptable for the second.

[CaliforniaKarl]

Indeed, which is why I didn’t mention third-party tampering. For that, the transfer can be sent inside of a TLS-enabled connection.

[supriyo-biswas]

That is still an attack on the second preimage or a collision resistance properties of the hash function. Most collisions do work this way, for example see [1].

[1] https://github.com/corkami/collisions

[CaliforniaKarl]

That makes sense, but is there a specific name for this type of collision?