From owner-freebsd-security@FreeBSD.ORG Sun Dec 2 19:45:20 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F2B716A418 for ; Sun, 2 Dec 2007 19:45:20 +0000 (UTC) (envelope-from area.damai@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.189]) by mx1.freebsd.org (Postfix) with ESMTP id C353313C43E for ; Sun, 2 Dec 2007 19:45:19 +0000 (UTC) (envelope-from area.damai@gmail.com) Received: by mu-out-0910.google.com with SMTP id i10so13060mue for ; Sun, 02 Dec 2007 11:45:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=MAwlHQg+pGbJ9uNbYb1l4fkge62BFEyEo7RFapVX+uE=; b=jv9prw4fH+/aLv5c5aVHDhWWIwmaXFqDwQ15I2zA1PZGSY6UUwJ8PxdUqC0o3BnEJnFdhbTZczX8nJpTW9SjFuoHlPkwVTPxEnMtV/7QE+UtXub8kdMju/LkoKxcKeg3kQKBVspwpZyzl3qt7IArguU52ljhCE8+nW/YVNMGcWM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:mime-version:content-type; b=XocHrs1KjCpjVvCdissVfAZr1IDs4T0jGgBnvJEDvyfvduwMPNr4zW4om1P11XSoEXKg2+F40v+GW2Eqc4RuBTi1WRc4L0G9AgAXcKdmBYgJSHShq4cGGTkWZZc1OvbPDh+fH9xiztI94WmXWBQdvxhQLL4z7bocY/6diVrSo1I= Received: by 10.82.116.15 with SMTP id o15mr14405553buc.1196623221864; Sun, 02 Dec 2007 11:20:21 -0800 (PST) Received: by 10.82.185.7 with HTTP; Sun, 2 Dec 2007 11:20:21 -0800 (PST) Message-ID: Date: Mon, 3 Dec 2007 03:20:21 +0800 From: "=?WINDOWS-1252?Q?area_damai=99?=" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Setting SSH timeout X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Dec 2007 19:45:20 -0000 i'm trying to disconnect idle users from my system by editing /etc/ssh/sshd_config i have set TCPKeepAlive no ClientAliveInterval 2 and restarting sshd services /etc/rc.d/sshd restart but it still wont disconnect any idle client any advice is highly appreciated areadamai freebsd user From owner-freebsd-security@FreeBSD.ORG Sun Dec 2 21:59:49 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08A8116A421 for ; Sun, 2 Dec 2007 21:59:49 +0000 (UTC) (envelope-from elsiddik@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.182]) by mx1.freebsd.org (Postfix) with ESMTP id BF1A813C474 for ; Sun, 2 Dec 2007 21:59:48 +0000 (UTC) (envelope-from elsiddik@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so4878729waf for ; Sun, 02 Dec 2007 13:59:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=FyjVNT+uibjzxUC3EyGZ9fO4E4nLq+Unpyy/MWKn/Os=; b=Y+NwgixhEErIHrLuYtEsiX3KUPH0B76Gf5QN0Keg1pTemah+yny5mLNYNhW/sZLBQLVJDPEVOFeKGIElx04LUUD1rG4bz81bxfcjk55eCRcMvry4AAtc7FlhVptKX41O6NYCe1OuR1N5eCaLJ1/S+mQ1MfmHjwfMMraJNsRoZ78= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=wyWyJ05sAy1CipuBe8sNa2U443HX+hyoOg/QV/CS7MKNRf+T3gOXmMFAXPHhzWoytfq0S2gnNT3wWjao/YnrJHJm7GiXcznhxl/ghH9fzAVHd+B7FxUNk5rF4HGJzTGUXrBSgstKqGrKPeZzzoltB1b9GeadRgP8E4IYWyEQ7GI= Received: by 10.142.213.9 with SMTP id l9mr153860wfg.1196631054037; Sun, 02 Dec 2007 13:30:54 -0800 (PST) Received: by 10.143.168.5 with HTTP; Sun, 2 Dec 2007 13:30:54 -0800 (PST) Message-ID: <4738a3900712021330p582d08dcy6f4bf22286e0953c@mail.gmail.com> Date: Sun, 2 Dec 2007 22:30:54 +0100 From: M.Z.el-Siddik To: freebsd-security@freebsd.org In-Reply-To: <4738a3900712021318i6bdda36csc7e2adac67a3b08d@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4738a3900712021318i6bdda36csc7e2adac67a3b08d@mail.gmail.com> Subject: Fwd: Setting SSH timeout X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Dec 2007 21:59:49 -0000 Restarting sshd wont let you disconnect any user. the best way is to kill users login PID. On Dec 2, 2007 8:20 PM, area damai=99 wrote: > i'm trying to disconnect idle users from my system by editing > /etc/ssh/sshd_config > i have set > TCPKeepAlive no > ClientAliveInterval 2 > > and restarting sshd services /etc/rc.d/sshd restart > > but it still wont disconnect any idle client > any advice is highly appreciated > > areadamai > freebsd user > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > -- zaher el siddik - From owner-freebsd-security@FreeBSD.ORG Sun Dec 2 22:49:09 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F94316A41B for ; Sun, 2 Dec 2007 22:49:08 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from kazon.borderworlds.dk (kazon.borderworlds.dk [213.239.213.48]) by mx1.freebsd.org (Postfix) with ESMTP id 8912113C44B for ; Sun, 2 Dec 2007 22:49:08 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from dominion.borderworlds.dk (localhost [127.0.0.1]) by kazon.borderworlds.dk (Postfix) with ESMTP id F3D0117012; Sun, 2 Dec 2007 23:33:42 +0100 (CET) Received: by dominion.borderworlds.dk (Postfix, from userid 2000) id 557D648C; Sun, 2 Dec 2007 23:33:42 +0100 (CET) To: =?utf-8?Q?area_damai=E2=84=A2?= References: From: Christian Laursen Date: Sun, 02 Dec 2007 23:33:41 +0100 In-Reply-To: ("area =?utf-8?Q?damai=E2=84=A2=22's?= message of "Mon\, 3 Dec 2007 03\:20\:21 +0800") Message-ID: User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.99 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Setting SSH timeout X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Dec 2007 22:49:09 -0000 "area damai=E2=84=A2" writes: > i'm trying to disconnect idle users from my system by editing > /etc/ssh/sshd_config I don't think sshd can do that. Take a look at /usr/ports/sysutils/idled. --=20 Christian Laursen From owner-freebsd-security@FreeBSD.ORG Sun Dec 2 23:28:08 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6455116A421 for ; Sun, 2 Dec 2007 23:28:08 +0000 (UTC) (envelope-from Klaus.Steden@thomson.net) Received: from dmzraw5.extranet.tce.com (dmzraw5.extranet.tce.com [157.254.234.142]) by mx1.freebsd.org (Postfix) with ESMTP id 19F0213C4EE for ; Sun, 2 Dec 2007 23:28:08 +0000 (UTC) (envelope-from Klaus.Steden@thomson.net) Received: from indyvss1.am.thmulti.com (unknown [157.254.92.60]) by dmzraw5.extranet.tce.com (Postfix) with ESMTP id 3897623A4E3; Sun, 2 Dec 2007 23:02:59 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 0B3EA116B8F; Sun, 2 Dec 2007 23:02:59 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at thomson.net Received: from indyvss1.am.thmulti.com ([127.0.0.1]) by localhost (indyvss1.am.thmulti.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id RgqmCrGM6BJQ; Sun, 2 Dec 2007 23:02:58 +0000 (GMT) Received: from indysmailcs03.am.thmulti.com (indysmailcs03.am.thmulti.com [157.254.96.6]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 503B7116DF0; Sun, 2 Dec 2007 23:02:58 +0000 (GMT) Received: from INDYSMAILBH04.am.thmulti.com ([157.254.96.14]) by indysmailcs03.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 2 Dec 2007 18:02:58 -0500 Received: from CAMASMAILBH02.am.thmulti.com ([10.15.1.76]) by INDYSMAILBH04.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 2 Dec 2007 18:02:58 -0500 Received: from BRBKSMAIL04.am.thmulti.com ([10.15.28.49]) by CAMASMAILBH02.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 2 Dec 2007 15:02:56 -0800 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 X-MimeOLE: Produced By Microsoft Exchange V6.5.7235.2 Date: Sun, 2 Dec 2007 15:02:55 -0800 Message-ID: <23480D326186CF49819F5EF363276C900340610D@BRBKSMAIL04.am.thmulti.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Setting SSH timeout thread-index: Acg1NZZzevYH5Qm0RI+lKliQ5B8WVQAAeMz9 From: "Steden Klaus" To: , X-OriginalArrivalTime: 02 Dec 2007 23:02:56.0411 (UTC) FILETIME=[79DDC6B0:01C83537] Cc: Subject: Re: Setting SSH timeout X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Dec 2007 23:28:08 -0000 DQpTZWNvbmRlZC4NCg0KSWRsZWQgd29ya3Mgd2VsbCwgYW5kIGhhbmRsZXMgYWxsIHR5cGVzIG9m IHVzZXIgbG9naW4gc2Vzc2lvbnMuIEkgaGF2ZSB1c2VkIGl0IHF1aXRlIHN1Y2Nlc3NmdWxseSBm b3IgbWFueSB5ZWFycy4gDQoNCkh0aCwNCktsYXVzDQoNCg0KLS0tLS0gT3JpZ2luYWwgTWVzc2Fn ZSAtLS0tLQ0KRnJvbTogb3duZXItZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9yZyA8b3duZXIt ZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9yZz4NClRvOiBhcmVhIGRhbWFp4oSiIDxhcmVhLmRh bWFpQGdtYWlsLmNvbT4NCkNjOiBmcmVlYnNkLXNlY3VyaXR5QGZyZWVic2Qub3JnIDxmcmVlYnNk LXNlY3VyaXR5QGZyZWVic2Qub3JnPg0KU2VudDogU3VuIERlYyAwMiAxNDozMzo0MSAyMDA3DQpT dWJqZWN0OiBSZTogU2V0dGluZyBTU0ggdGltZW91dA0KDQoiYXJlYSBkYW1haeKEoiIgPGFyZWEu ZGFtYWlAZ21haWwuY29tPiB3cml0ZXM6DQoNCj4gaSdtIHRyeWluZyB0byBkaXNjb25uZWN0IGlk bGUgdXNlcnMgZnJvbSBteSBzeXN0ZW0gYnkgZWRpdGluZw0KPiAvZXRjL3NzaC9zc2hkX2NvbmZp Zw0KDQpJIGRvbid0IHRoaW5rIHNzaGQgY2FuIGRvIHRoYXQuDQoNClRha2UgYSBsb29rIGF0IC91 c3IvcG9ydHMvc3lzdXRpbHMvaWRsZWQuDQoNCi0tIA0KQ2hyaXN0aWFuIExhdXJzZW4NCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpmcmVlYnNkLXNlY3Vy aXR5QGZyZWVic2Qub3JnIG1haWxpbmcgbGlzdA0KaHR0cDovL2xpc3RzLmZyZWVic2Qub3JnL21h aWxtYW4vbGlzdGluZm8vZnJlZWJzZC1zZWN1cml0eQ0KVG8gdW5zdWJzY3JpYmUsIHNlbmQgYW55 IG1haWwgdG8gImZyZWVic2Qtc2VjdXJpdHktdW5zdWJzY3JpYmVAZnJlZWJzZC5vcmciDQo= From owner-freebsd-security@FreeBSD.ORG Mon Dec 3 05:10:58 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB0F716A417 for ; Mon, 3 Dec 2007 05:10:58 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id B101613C459 for ; Mon, 3 Dec 2007 05:10:58 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 31577 invoked from network); 2 Dec 2007 22:44:17 -0600 Received: from 124-170-149-217.dyn.iinet.net.au (HELO localhost) (124.170.149.217) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Dec 2007 22:44:16 -0600 Date: Mon, 3 Dec 2007 15:44:12 +1100 From: Norberto Meijome To: freebsd-security@freebsd.org Message-ID: <20071203154412.461d0faf@meijome.net> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 05:10:59 -0000 Hi everyone, Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : " MD5 has not yet (2001-09-03) been broken, but sufficient attacks have been made that its security is in some doubt. The attacks on MD5 are in the nature of finding ``collisions'' -- that is, multiple inputs which hash to the same value; it is still unlikely for an attacker to be able to determine the exact original input given a hash value. " Cheers, B _________________________ {Beto|Norberto|Numard} Meijome If you find a solution and become attached to it, the solution may become your next problem. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. From owner-freebsd-security@FreeBSD.ORG Mon Dec 3 07:31:18 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6022D16A418 for ; Mon, 3 Dec 2007 07:31:18 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [193.6.222.241]) by mx1.freebsd.org (Postfix) with ESMTP id 36F6B13C474 for ; Mon, 3 Dec 2007 07:31:18 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [IPv6:::1]) by mail.ki.iif.hu (Postfix) with ESMTP id 748E884A5D; Mon, 3 Dec 2007 08:15:21 +0100 (CET) X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id TbU1m+QstSfn; Mon, 3 Dec 2007 08:15:18 +0100 (CET) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 9049984A56; Mon, 3 Dec 2007 08:15:18 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 8EFED84A53; Mon, 3 Dec 2007 08:15:18 +0100 (CET) Date: Mon, 3 Dec 2007 08:15:18 +0100 (CET) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Norberto Meijome In-Reply-To: <20071203154412.461d0faf@meijome.net> Message-ID: <20071203081159.J83729@mignon.ki.iif.hu> References: <20071203154412.461d0faf@meijome.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 07:31:18 -0000 On Mon, 3 Dec 2007, Norberto Meijome wrote: > Hi everyone, > > Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : > > " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > " Some measures are already taken: - FreeBSD ports use not only MD5 but SHA256 additionaly - Same applied for FreeBSD ISO images Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 From owner-freebsd-security@FreeBSD.ORG Mon Dec 3 07:48:03 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1E5816A41A for ; Mon, 3 Dec 2007 07:48:03 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id C937713C461 for ; Mon, 3 Dec 2007 07:48:03 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 33275 invoked by uid 1000); 3 Dec 2007 07:21:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Dec 2007 07:21:21 -0000 Date: Sun, 2 Dec 2007 23:21:21 -0800 (PST) From: jason X-X-Sender: jason@treehorn.dfmm.org To: Norberto Meijome In-Reply-To: <20071203154412.461d0faf@meijome.net> Message-ID: <20071202230434.O27936@treehorn.dfmm.org> References: <20071203154412.461d0faf@meijome.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 07:48:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely > on MD5 checksums? Maybe an update to the man page is due ? : This is very old news. Most tools and systems seem to have switched to SHA variants: GPG (e.g., as used to sign FreeBSD security advisories) uses SHA1; ports distinfo files use SHA256; etc. The SHA variants have also been shown to be weaker than expected, too, but they're stronger than MD5, and it's not really clear at this point that there's anything better yet. The cryptographers are working on it: http://www.nist.gov/hash-competition I'm not sure why this made it to the front page of Slashdot again; identical attacks were on the front page of Slashdot three years ago (see the links at the bottom of your own URL...). Anyone in a position to understand what's going on here already knew. And anyone who doesn't understand these results is not going to be able to make any effective use of an advisory, and they're just going to get scared over nothing. Therefore, I don't think any kind of advisory is warranted. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFHU65xswXMWWtptckRAp1qAKC5pGONKG3pdY11yzduGN0MYRlIwACgqKkd 3YhDBot1SAI4ALuOPi12hWQ= =8gRM -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Dec 3 11:12:48 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE2FF16A420 for ; Mon, 3 Dec 2007 11:12:48 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id 6219F13C458 for ; Mon, 3 Dec 2007 11:12:48 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 24630 invoked from network); 3 Dec 2007 05:12:47 -0600 Received: from 124-170-149-217.dyn.iinet.net.au (HELO localhost) (124.170.149.217) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Dec 2007 05:12:47 -0600 Date: Mon, 3 Dec 2007 22:12:43 +1100 From: Norberto Meijome To: jason Message-ID: <20071203221243.2377393d@meijome.net> In-Reply-To: <20071202230434.O27936@treehorn.dfmm.org> References: <20071203154412.461d0faf@meijome.net> <20071202230434.O27936@treehorn.dfmm.org> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 11:12:48 -0000 On Sun, 2 Dec 2007 23:21:21 -0800 (PST) jason wrote: > Anyone in a position to understand what's going on here already knew. And > anyone who doesn't understand these results is not going to be able to > make any effective use of an advisory, and they're just going to get > scared over nothing. Therefore, I don't think any kind of advisory is > warranted. fair enough. I also know that ports,etc dont solely rely on md5, but I think the text in man md5 could be made a bit updated a bit, or maybe point to some external reference with more updated information... just my $0.01 anyway ;) thanks, B _________________________ {Beto|Norberto|Numard} Meijome Two things have come out of Berkeley, Unix and LSD. It is uncertain which caused the other. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. From owner-freebsd-security@FreeBSD.ORG Mon Dec 3 13:59:53 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BB3416A418 for ; Mon, 3 Dec 2007 13:59:53 +0000 (UTC) (envelope-from iang@iang.org) Received: from skaro.afraid.org (skaro.afraid.org [212.169.1.61]) by mx1.freebsd.org (Postfix) with ESMTP id D0BF313C459 for ; Mon, 3 Dec 2007 13:59:52 +0000 (UTC) (envelope-from iang@iang.org) Received: from zhukov.local (localhost.cthulhu.dircon.co.uk [127.0.0.1]) by skaro.afraid.org (Postfix) with ESMTP id 97BA65D23; Mon, 3 Dec 2007 13:41:07 +0000 (GMT/BST) Message-ID: <47540774.5080805@iang.org> Date: Mon, 03 Dec 2007 14:41:08 +0100 From: Iang User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20071203154412.461d0faf@meijome.net> In-Reply-To: <20071203154412.461d0faf@meijome.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 13:59:53 -0000 Norberto Meijome wrote: > Hi everyone, > > Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : my 2c worth: The attack is somewhat subtle, and doesn't really apply to the use that is currently made of MD5. The attack with MD5 is that if you can create your own text, you can create 2 texts with the same MD5. That however is very different to you creating a new text with the same MD5 as my text. It is the latter that is normal usage. In this case, if you are distributing your code with an MD5 signature so others can check it, it is still not a useful attack. MD5 is still good for that. Having said that, the general warning is more or less correct; move to a longer hash, if designing new apps. However, it gets messier, as you need to chose a replacement: * SHA1 is good "for now", but expected to suffer in a few short years. No point in picking that. * SHA256 and friends are also under some sort of skeptical cloud, although they are likely good for a lot longer (ask 3 cryptographers for 7 different answers here). While it could be good to pick SHA256, etc, there isn't that total 100% theoretical pareto-complete confidence that cryptographers insist on... * To address this, NIST just a couple of months back announced a SHA3 competition. This will in the space of maybe 4-6 years announce a new generation hash. Can you wait for that? There are then a handful of strategies that might help: a. switch to SHA256 now, and then SHA3 in 5 years time. b. limp along on MD5 and plan on SHA3 when it is available. c. add "hash agility" to all programs and allow apps to follow their desires. Which you follow depends on where you are in the crypto-paranoia curve. Unless the app is an actual vector of validated attacks, I'd suggest b. If you are part of the community and like inflicting crypto turmoil on your users for fun and pleasure, do c. If you are some big company and have to answer to others' ideas of compliance, do a. > " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > " That's fine as a description of the problem. What it lacks is any advice as to what an application developer should do about it. A tough issue :) iang From owner-freebsd-security@FreeBSD.ORG Mon Dec 3 23:02:16 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03F6216A41B for ; Mon, 3 Dec 2007 23:02:16 +0000 (UTC) (envelope-from Rich@Murphey.org) Received: from whiteoaklabs.com (mail.whiteoaklabs.com [69.55.226.191]) by mx1.freebsd.org (Postfix) with ESMTP id 0465D13C45B for ; Mon, 3 Dec 2007 23:02:15 +0000 (UTC) (envelope-from Rich@Murphey.org) Received: from xa.home.org (c-98-194-157-148.hsd1.tx.comcast.net [98.194.157.148]) by whiteoaklabs.com (8.12.11/8.12.11) with ESMTP id lB3MjECW016206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 3 Dec 2007 14:45:14 -0800 Received: from [172.16.3.2] (inspiron.home.org [172.16.3.2]) by xa.home.org (8.13.6/8.13.6) with ESMTP id lB3MjOHo081283 for ; Mon, 3 Dec 2007 16:45:24 -0600 (CST) (envelope-from Rich@Murphey.org) Message-ID: <475486EA.5080907@Murphey.org> Date: Mon, 03 Dec 2007 16:44:58 -0600 From: Rich Murphey User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20071203154412.461d0faf@meijome.net> <47540774.5080805@iang.org> In-Reply-To: <47540774.5080805@iang.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC--Metrics: whiteoaklabs.com 1113; Body=1 Fuz1=1 Fuz2=1 X-Mailman-Approved-At: Mon, 03 Dec 2007 23:05:42 +0000 Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 23:02:16 -0000 Here's a paper by Eric Thompson of AccessData on "MD5 collisions and the impact on computer forensics" published in the journal Digital Investigation. It makes a similar argument that the MD5 collisions have very limited practical impact on current use for evidence authentication in computer forensics. http://www.acquisitiondata.com/white_papers/md5-collisions.pdf Rich Murphey Iang wrote: > Norberto Meijome wrote: >> Hi everyone, >> >> Not sure if you've read >> http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . >> >> should some kind of advisory be sent to advise people not to rely >> solely on MD5 checksums? Maybe an update to the man page is due ? : > > > my 2c worth: > > The attack is somewhat subtle, and doesn't really apply to the use > that is currently made of MD5. > > The attack with MD5 is that if you can create your own text, you can > create 2 texts with the same MD5. That however is very different to > you creating a new text with the same MD5 as my text. It is the > latter that is normal usage. > > In this case, if you are distributing your code with an MD5 signature > so others can check it, it is still not a useful attack. MD5 is still > good for that. > > Having said that, the general warning is more or less correct; move to > a longer hash, if designing new apps. > > However, it gets messier, as you need to chose a replacement: > > * SHA1 is good "for now", but expected to suffer in a few short > years. No point in picking that. > > * SHA256 and friends are also under some sort of skeptical cloud, > although they are likely good for a lot longer (ask 3 cryptographers > for 7 different answers here). While it could be good to pick SHA256, > etc, there isn't that total 100% theoretical pareto-complete > confidence that cryptographers insist on... > > * To address this, NIST just a couple of months back announced a SHA3 > competition. This will in the space of maybe 4-6 years announce a new > generation hash. Can you wait for that? > > There are then a handful of strategies that might help: > > a. switch to SHA256 now, and then SHA3 in 5 years time. > b. limp along on MD5 and plan on SHA3 when it is available. > c. add "hash agility" to all programs and allow apps to follow their > desires. > > Which you follow depends on where you are in the crypto-paranoia curve. > > Unless the app is an actual vector of validated attacks, I'd suggest > b. If you are part of the community and like inflicting crypto > turmoil on your users for fun and pleasure, do c. If you are some big > company and have to answer to others' ideas of compliance, do a. > > > >> " MD5 has not yet (2001-09-03) been broken, but sufficient >> attacks have >> been made that its security is in some doubt. The attacks on >> MD5 are in >> the nature of finding ``collisions'' -- that is, multiple inputs >> which >> hash to the same value; it is still unlikely for an attacker to >> be able >> to determine the exact original input given a hash value. >> " > > > That's fine as a description of the problem. What it lacks is any > advice as to what an application developer should do about it. A > tough issue :) > > iang > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 05:26:43 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20C5316A468 for ; Tue, 4 Dec 2007 05:26:43 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id E360C13C47E for ; Tue, 4 Dec 2007 05:26:42 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mr3so.prod.shaw.ca (pd3mr3so-qfe3.prod.shaw.ca [10.0.141.179]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JSI00B6ZCAWG6F0@l-daemon> for freebsd-security@freebsd.org; Mon, 03 Dec 2007 21:25:44 -0700 (MST) Received: from pn2ml6so.prod.shaw.ca ([10.0.121.150]) by pd3mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JSI00E86CAVO170@pd3mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Mon, 03 Dec 2007 21:25:44 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.201.197]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JSI00AFVCAVT540@l-daemon> for freebsd-security@freebsd.org; Mon, 03 Dec 2007 21:25:43 -0700 (MST) Received: (qmail 1257 invoked from network); Tue, 04 Dec 2007 04:25:38 +0000 Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1) by localhost with SMTP; Tue, 04 Dec 2007 04:25:38 +0000 Date: Mon, 03 Dec 2007 20:25:38 -0800 From: Colin Percival In-reply-to: <20071203154412.461d0faf@meijome.net> To: Norberto Meijome Message-id: <4754D6C2.3030005@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.95.5 References: <20071203154412.461d0faf@meijome.net> User-Agent: Thunderbird 2.0.0.9 (X11/20071117) Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 05:26:43 -0000 Norberto Meijome wrote: > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : > > " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > " I fail to see how the man page is incorrect here. What do you think it should be saying instead? Colin Percival FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 12:11:52 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32E4F16A475 for ; Tue, 4 Dec 2007 12:11:52 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id EEBFC13C459 for ; Tue, 4 Dec 2007 12:11:51 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 3956 invoked from network); 4 Dec 2007 06:11:51 -0600 Received: from 124-170-55-25.dyn.iinet.net.au (HELO localhost) (124.170.55.25) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 4 Dec 2007 06:11:51 -0600 Date: Tue, 4 Dec 2007 23:11:45 +1100 From: Norberto Meijome To: Colin Percival Message-ID: <20071204231145.0c4be9b7@meijome.net> In-Reply-To: <4754D6C2.3030005@freebsd.org> References: <20071203154412.461d0faf@meijome.net> <4754D6C2.3030005@freebsd.org> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 12:11:52 -0000 On Mon, 03 Dec 2007 20:25:38 -0800 Colin Percival wrote: > Norberto Meijome wrote: > > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : > > > > " > > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > > been made that its security is in some doubt. The attacks on MD5 are in > > the nature of finding ``collisions'' -- that is, multiple inputs which > > hash to the same value; it is still unlikely for an attacker to be able > > to determine the exact original input given a hash value. > > " > > I fail to see how the man page is incorrect here. What do you think it should > be saying instead? hi Colin, yeah..the more I read it I see that it isn't wrong... maybe it's something to do with "not yet (2001....)" ...seems rather dated. (the advisory idea was a bad one, i agree, oopsie :) ) I understand that the final nail in MD5's coffin hasn't been found yet ( ie, we cannot "determine the exact original input given a hash value") , but the fact that certain magic bytes can be found (rather quickly) so that any 2 given binaries end up as collisions seems , from my unlearned POV, more serious or sinister than what the text above implies. We put some strong kind of protection when vulnerabilities are found, in the form of portaudit and failing to build ports that have issues - some stronger words of warning (I am not sure what, precisely, but maybe pointing to a URL on freebsd.org with up to date info on this ? ) could, possibly, be warranted. Of course, it is only my point of view :) thanks for your time, B _________________________ {Beto|Norberto|Numard} Meijome It is better to remain silent and be thought a fool, than to speak, and remove all doubt. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 12:43:51 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03DBF16A41A; Tue, 4 Dec 2007 12:43:51 +0000 (UTC) (envelope-from iang@iang.org) Received: from skaro.afraid.org (skaro.afraid.org [212.169.1.61]) by mx1.freebsd.org (Postfix) with ESMTP id 061EB13C469; Tue, 4 Dec 2007 12:43:50 +0000 (UTC) (envelope-from iang@iang.org) Received: from zhukov.local (localhost.cthulhu.dircon.co.uk [127.0.0.1]) by skaro.afraid.org (Postfix) with ESMTP id 77FF75D23; Tue, 4 Dec 2007 12:43:41 +0000 (GMT/BST) Message-ID: <47554B7B.90803@iang.org> Date: Tue, 04 Dec 2007 13:43:39 +0100 From: Iang User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Colin Percival References: <20071203154412.461d0faf@meijome.net> <4754D6C2.3030005@freebsd.org> In-Reply-To: <4754D6C2.3030005@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 12:43:51 -0000 Colin Percival wrote: > Norberto Meijome wrote: >> should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : >> >> " >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have >> been made that its security is in some doubt. The attacks on MD5 are in >> the nature of finding ``collisions'' -- that is, multiple inputs which >> hash to the same value; it is still unlikely for an attacker to be able >> to determine the exact original input given a hash value. >> " > > I fail to see how the man page is incorrect here. What do you think it should > be saying instead? Perhaps, 1st two paras: ============== Md5 is a cryptographic message digest algorithm. It takes as input a message of arbitrary length and produces as output a 128-bit ``fingerprint'' or ``digest'' of the input. Such algorithms are intended for applications where a large file must be ``compressed'' in a secure manner, suitable as a digital signature or as an input to a public-key cryptosystem for digital signature or encryption purposes. MD5 is no longer recommended as a cryptographic message digest algorithm, although it functions very well as a big checksum. It is now feasible (2004) to produce two messages having the same MD5 message digest (``collision'' attack), and attacks of this nature are getting better and faster. It is still conjectured to be computationally infeasible (2007) to produce any message having a given prespecified target message digest (``preimage'' attack). ============== It's worth checking carefully ... discussing the minutiae of cryptographic algorithms is like angels dancing on a pin. iang From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 14:20:10 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6ABE16A418 for ; Tue, 4 Dec 2007 14:20:10 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from vms046pub.verizon.net (vms046pub.verizon.net [206.46.252.46]) by mx1.freebsd.org (Postfix) with ESMTP id BDB7213C455 for ; Tue, 4 Dec 2007 14:20:05 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from [192.168.1.2] ([71.162.149.215]) by vms046.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPA id <0JSJ00K0K3SQ5QH6@vms046.mailsrvcs.net> for freebsd-security@freebsd.org; Tue, 04 Dec 2007 08:19:39 -0600 (CST) Date: Tue, 04 Dec 2007 09:19:58 -0500 From: Matt Piechota In-reply-to: <20071204231145.0c4be9b7@meijome.net> To: Norberto Meijome Message-id: <4755620E.6010002@argolis.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7bit References: <20071203154412.461d0faf@meijome.net> <4754D6C2.3030005@freebsd.org> <20071204231145.0c4be9b7@meijome.net> User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 14:20:10 -0000 Norberto Meijome wrote: > I understand that the final nail in MD5's coffin hasn't been found > yet ( ie, we cannot "determine the exact original input given a > hash value") , but the fact that certain magic bytes can be found > (rather quickly) so that any 2 given binaries end up as collisions > seems , from my unlearned POV, more serious or sinister than what > the text above implies. I think the big mitigating factor is that you can't easily generate a message that has the same length as the original as well as the same hash. I believe when this came up awhile back, the ports collection (for example) was deemed safe since the scripts checked the file length and MD5 hash, but even so they've started using both MD5 and SHA256 hashes since the odds of a collision using both on the same message are essentially nil. From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 14:45:26 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 057FF16A418 for ; Tue, 4 Dec 2007 14:45:26 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id EA17513C447 for ; Tue, 4 Dec 2007 14:45:25 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 4 Dec 2007 06:27:54 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20071204120020.2CCA416A469@hub.freebsd.org> References: <20071204120020.2CCA416A469@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20071204142754.2F6362B228A@mx5.roble.com> Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 14:45:26 -0000 Colin Percival wrote: >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have >> been made that its security is in some doubt. The attacks on MD5 are in >> the nature of finding ``collisions'' -- that is, multiple inputs which >> hash to the same value; it is still unlikely for an attacker to be able >> to determine the exact original input given a hash value. >> " > > I fail to see how the man page is incorrect here. What do you think it should > be saying instead? I would drop the statement altogether since it is not accurate for MD5 signatures of binary packages and tarballs. At the very least define the specific scenarios under which MD5 can be broken and drop the "its security is in some doubt" claim. Vague statements about crypto are worse than none at all. -- Roger Marquis From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 15:07:50 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 117CC16A419 for ; Tue, 4 Dec 2007 15:07:50 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id D98D013C465 for ; Tue, 4 Dec 2007 15:07:49 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 3CD197C49; Tue, 4 Dec 2007 09:07:49 -0600 (CST) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTP id D82DA10AA88B; Tue, 4 Dec 2007 09:07:48 -0600 (CST) From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 4 Dec 2007 09:07:45 -0600 User-Agent: KMail/1.9.7 References: <20071204120020.2CCA416A469@hub.freebsd.org> <20071204142754.2F6362B228A@mx5.roble.com> In-Reply-To: <20071204142754.2F6362B228A@mx5.roble.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2696553.D45Aa6Ld8T"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200712040907.48394.josh@tcbug.org> Cc: Roger Marquis Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 15:07:50 -0000 --nextPart2696553.D45Aa6Ld8T Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 04 December 2007 08:27:54 am Roger Marquis wrote: > Colin Percival wrote: > >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > >> been made that its security is in some doubt. The attacks on MD5 > >> are in the nature of finding ``collisions'' -- that is, multiple inputs > >> which hash to the same value; it is still unlikely for an attacker to = be > >> able to determine the exact original input given a hash value. > >> " > > > > I fail to see how the man page is incorrect here. What do you think it > > should be saying instead? > > I would drop the statement altogether since it is not accurate for MD5 > signatures of binary packages and tarballs. At the very least define the > specific scenarios under which MD5 can be broken and drop the "its securi= ty > is in some doubt" claim. Vague statements about crypto are worse than no= ne > at all. I think some of the concerns expressed here seem to be focused on one=20 particular use case of MD5. The main place FreeBSD seems to use MD5's is i= n=20 verifying tarballs for ports. In this particular application MD5 + checkin= g=20 the length of the file + SHA256 is more than enough to ensure that the=20 tarball hasn't been tampered with. In all reality, MD5 alone is enough for= =20 most cases, since generating meaningful collisions so far has required=20 control of the original as well. If you wanted to get really picky, MD5-ing a file is really the wrong way t= o=20 go about it in the first place, since there's no stopping an attacker from= =20 replacing the tarball AND the MD5 sum on the download site together....as a= =20 port maintainer when I update a port how do I really know the files the=20 project has published are what they intended? Unless they are digitally=20 signed I really don't. At any rate, there is some doubt about MD5. Since collisions have been=20 discovered you can't make assertions about further problems being found in= =20 it. Perhaps someday someone will find a way to generate arbitrary=20 same-length meaningful collisions...who's to know. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart2696553.D45Aa6Ld8T Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHVW1EJvkB8SevrssRAl2CAJ4kSxVEDjLY1N852BJPIY4Qigjw4ACgiQAc uTb/NZoKGpn1ZlMuxctotWM= =2QyV -----END PGP SIGNATURE----- --nextPart2696553.D45Aa6Ld8T-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 15:57:14 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F205616A468 for ; Tue, 4 Dec 2007 15:57:13 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A663713C45A for ; Tue, 4 Dec 2007 15:57:13 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=d8K2CYRmq6djm2YeVz+Lb+3p+RDYiPTwGZzxbDtLmF9wN7CqWIqFdD1QylJlkp4SLhnNeAvF7C+ZOrE9yOkc2PYU8YLcCCGfltv8EnzktuL6mjBBiZoMMDqwuDI/VGi1NdhzyAdNafsEjS54IXWHRKCyLwvEa3yPRbCJsZNlMfg=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1IzZtM-0002nG-6V; Tue, 04 Dec 2007 18:41:00 +0300 Date: Tue, 4 Dec 2007 18:40:58 +0300 From: Eygene Ryabinkin To: Matt Piechota Message-ID: References: <20071203154412.461d0faf@meijome.net> <4754D6C2.3030005@freebsd.org> <20071204231145.0c4be9b7@meijome.net> <4755620E.6010002@argolis.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4755620E.6010002@argolis.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_20 Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 15:57:14 -0000 Matt, good day. Tue, Dec 04, 2007 at 09:19:58AM -0500, Matt Piechota wrote: > Norberto Meijome wrote: >> I understand that the final nail in MD5's coffin hasn't been found > > yet ( ie, we cannot "determine the exact original input given a > > hash value") , but the fact that certain magic bytes can be found > > (rather quickly) so that any 2 given binaries end up as collisions > > seems , from my unlearned POV, more serious or sinister than what > > the text above implies. > > I think the big mitigating factor is that you can't easily generate a > message that has the same length as the original as well as the same hash. No, read Kaminski's paper (http://www.doxpara.com/md5_someday.pdf): with Wong's and Joux's multicollision attack (or its extensions) one can generate files with the same sizes and MD5 hashes. The usefullness of this with application to the ports collection is questionable, since you should make two colliding archives and both of them should be unpackable and the second should do some evil things. But strictly speaking, there are attacks producing files with the same size and MD5 hash. http://www.cits.rub.de/MD5Collisions/ is also a good reading. -- Eygene From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 16:11:05 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA78E16A418 for ; Tue, 4 Dec 2007 16:11:05 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from cenn-smtp.mc.mpls.visi.com (cenn.mc.mpls.visi.com [208.42.156.9]) by mx1.freebsd.org (Postfix) with ESMTP id BE3AC13C46B for ; Tue, 4 Dec 2007 16:11:05 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by cenn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 69DD28620; Tue, 4 Dec 2007 10:10:37 -0600 (CST) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTP id 8BDBE10AA8AA; Tue, 4 Dec 2007 10:10:36 -0600 (CST) From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 4 Dec 2007 10:10:32 -0600 User-Agent: KMail/1.9.7 References: <20071203154412.461d0faf@meijome.net> <4755620E.6010002@argolis.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart23016190.Y3cqKExS6D"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200712041010.35935.josh@tcbug.org> Cc: Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 16:11:06 -0000 --nextPart23016190.Y3cqKExS6D Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 04 December 2007 09:40:58 am Eygene Ryabinkin wrote: > Matt, good day. > > Tue, Dec 04, 2007 at 09:19:58AM -0500, Matt Piechota wrote: > > Norberto Meijome wrote: > >> I understand that the final nail in MD5's coffin hasn't been found > >> > > > yet ( ie, we cannot "determine the exact original input given a > > > hash value") , but the fact that certain magic bytes can be found > > > (rather quickly) so that any 2 given binaries end up as collisions > > > seems , from my unlearned POV, more serious or sinister than what > > > the text above implies. > > > > I think the big mitigating factor is that you can't easily generate a > > message that has the same length as the original as well as the same > > hash. > > No, read Kaminski's paper (http://www.doxpara.com/md5_someday.pdf): > with Wong's and Joux's multicollision attack (or its extensions) > one can generate files with the same sizes and MD5 hashes. > > The usefullness of this with application to the ports collection > is questionable, since you should make two colliding archives and > both of them should be unpackable and the second should do some > evil things. But strictly speaking, there are attacks producing > files with the same size and MD5 hash. > > http://www.cits.rub.de/MD5Collisions/ is also a good reading. It's not really questionable....for all practical purposes it's worthless. = In=20 order to generate meaningful same-length collisions you need control of the= =20 original file. (Your links go to lengths to explain this...) In the case o= f=20 a ports distfile if you have control of the original file you really don't= =20 need to go to great lengths to generate collisions, you can simply toss you= r=20 malicious content in there right from the get go. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart23016190.Y3cqKExS6D Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHVXv7JvkB8SevrssRAiGyAJ9+rYo/HNXIeu0FSm3K/BZFaioiOwCfQ+jW 1hzYL9ulgu3lP/5LkKCNCtk= =hnES -----END PGP SIGNATURE----- --nextPart23016190.Y3cqKExS6D-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 16:43:48 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E870516A468 for ; Tue, 4 Dec 2007 16:43:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 9D1CE13C45D for ; Tue, 4 Dec 2007 16:43:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=Vr68G5UqecjVgiVET4nYy57awLEPflGGBwRJGYdk/xIFSfuKgwhg1SLjwZZyrgnQE3fyPy4cydWb0PeJeN8x/Wga/6OM4HvEewaOJ2Y75FyGM/7xuCgJRkP/kEU5RL2CGi4YpFVlAJ8ycSJnHKkBxTr9EyFHov8LHnDAkNiMfHo=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1Izas6-00038q-MA; Tue, 04 Dec 2007 19:43:46 +0300 Date: Tue, 4 Dec 2007 19:43:45 +0300 From: Eygene Ryabinkin To: Josh Paetzel Message-ID: References: <20071203154412.461d0faf@meijome.net> <4755620E.6010002@argolis.org> <200712041010.35935.josh@tcbug.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200712041010.35935.josh@tcbug.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 16:43:49 -0000 Josh, good day. Tue, Dec 04, 2007 at 10:10:32AM -0600, Josh Paetzel wrote: > > The usefullness of this with application to the ports collection > > is questionable, since you should make two colliding archives and > > both of them should be unpackable and the second should do some > > evil things. But strictly speaking, there are attacks producing > > files with the same size and MD5 hash. > > > > http://www.cits.rub.de/MD5Collisions/ is also a good reading. > > It's not really questionable....for all practical purposes it's worthless. In > order to generate meaningful same-length collisions you need control of the > original file. (Your links go to lengths to explain this...) In the case of > a ports distfile if you have control of the original file you really don't > need to go to great lengths to generate collisions, you can simply toss your > malicious content in there right from the get go. Yes, thanks for clarifying the point that one should be able to control both sequences in order to produce colliding files with the same size. But there is at least one scenario, when such attack is useful, if one will be able to produce two colliding source archives. Suppose, I am providing a port with new sources (either the new port or an update to the current one) and I am controlling the source tarballs. The sources will be supposedly reviewed by some parties and they will find no backdoors in it. So the port comes in the systems and it is thought to be good and useful. Once the port proved itself, I am replacing the good source tarballs with the evil ones (remember, I had prepared two colliding archives) and no one will notice the difference with MD5 + size check. But new port installations will be doing something different from the sources that were reviewed. Again, this is only theoretical thing with many preconditions, but if I am able to make two colliding archives, then other things are not very hard to achieve. People are producing colliding X.509 certificates, so we have an example of not 'just junk colliding content', but something meaningful. I am not going to flame about the real possibility of doing these for many reasons, and the first one that it is no longer doable for the current ports where SHA256 is in the game. All I wanted to say that there are scenarios where one can exploit MD5 weakness, providing one can extend MD5 collision attacks to archives. Shutting up. -- Eygene From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 18:27:07 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26AFD16A420 for ; Tue, 4 Dec 2007 18:27:07 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id CF77013C467 for ; Tue, 4 Dec 2007 18:27:01 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id D7C147859; Tue, 4 Dec 2007 12:27:00 -0600 (CST) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTP id C889410AA89A; Tue, 4 Dec 2007 12:26:57 -0600 (CST) From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 4 Dec 2007 12:26:53 -0600 User-Agent: KMail/1.9.7 References: <20071203154412.461d0faf@meijome.net> <200712041010.35935.josh@tcbug.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4085718.YkimdDvLxy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200712041226.57303.josh@tcbug.org> Cc: Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 18:27:07 -0000 --nextPart4085718.YkimdDvLxy Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 04 December 2007 10:43:45 am Eygene Ryabinkin wrote: > Josh, good day. > > Tue, Dec 04, 2007 at 10:10:32AM -0600, Josh Paetzel wrote: > > > The usefullness of this with application to the ports collection > > > is questionable, since you should make two colliding archives and > > > both of them should be unpackable and the second should do some > > > evil things. But strictly speaking, there are attacks producing > > > files with the same size and MD5 hash. > > > > > > http://www.cits.rub.de/MD5Collisions/ is also a good reading. > > > > It's not really questionable....for all practical purposes it's > > worthless. In order to generate meaningful same-length collisions you > > need control of the original file. (Your links go to lengths to explain > > this...) In the case of a ports distfile if you have control of the > > original file you really don't need to go to great lengths to generate > > collisions, you can simply toss your malicious content in there right > > from the get go. > > Yes, thanks for clarifying the point that one should be able to control > both sequences in order to produce colliding files with the same size. > > But there is at least one scenario, when such attack is useful, if > one will be able to produce two colliding source archives. Suppose, > I am providing a port with new sources (either the new port or an > update to the current one) and I am controlling the source tarballs. > The sources will be supposedly reviewed by some parties and they > will find no backdoors in it. So the port comes in the systems and > it is thought to be good and useful. > > Once the port proved itself, I am replacing the good source tarballs > with the evil ones (remember, I had prepared two colliding archives) > and no one will notice the difference with MD5 + size check. But new > port installations will be doing something different from the sources > that were reviewed. > > Again, this is only theoretical thing with many preconditions, but > if I am able to make two colliding archives, then other things are > not very hard to achieve. People are producing colliding X.509 > certificates, so we have an example of not 'just junk colliding > content', but something meaningful. > > I am not going to flame about the real possibility of doing these > for many reasons, and the first one that it is no longer doable for > the current ports where SHA256 is in the game. All I wanted to say > that there are scenarios where one can exploit MD5 weakness, providing > one can extend MD5 collision attacks to archives. > > Shutting up. Well, your point is well made, correct, and a realistic scenario (depending= on=20 your paranoia level) I totally agree with the original links posted. We know MD5 has problems,= =20 it's only a matter of time before a really significant one is discovered,=20 therefore it makes sense to avoid using it whenever possible even if the=20 current problems don't seem to affect your use-case. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart4085718.YkimdDvLxy Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHVZvxJvkB8SevrssRAsI9AKCFtXkmeOrWikYg0FgUR7ZPr3GeGwCeM7nt BhjisrX/+804MGGY/uVHMto= =UZXW -----END PGP SIGNATURE----- --nextPart4085718.YkimdDvLxy-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 20:01:01 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5594316A41B for ; Tue, 4 Dec 2007 20:01:01 +0000 (UTC) (envelope-from wes@softweyr.com) Received: from smtp.omnis.com (smtp.omnis.com [216.239.128.26]) by mx1.freebsd.org (Postfix) with ESMTP id 3B3C613C448 for ; Tue, 4 Dec 2007 20:01:01 +0000 (UTC) (envelope-from wes@softweyr.com) Received: from smtp-a.omnis.com (smtp-a.omnis.com [216.239.128.237]) by smtp.omnis.com (Postfix) with ESMTP id 9887E5247 for ; Tue, 4 Dec 2007 11:43:29 -0800 (PST) Received: from scurvy.corp.bb (bbasa1.bakbone.com [209.126.247.190]) (Authenticated sender: wes@softweyr.com) by smtp-a.omnis.com (Postfix) with ESMTP id 25DD74008B7 for ; Tue, 4 Dec 2007 11:43:29 -0800 (PST) Message-Id: From: Wes Peters To: freebsd-security@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Tue, 4 Dec 2007 11:43:28 -0800 X-Mailer: Apple Mail (2.915) X-Mailman-Approved-At: Tue, 04 Dec 2007 20:16:55 +0000 Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 20:01:01 -0000 Colin Percival asked: > Norberto Meijome wrote: >> should some kind of advisory be sent to advise people not to rely >> solely on MD5 checksums? Maybe an update to the man page is due ? : >> >> " >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have >> been made that its security is in some doubt. The attacks on >> MD5 are in >> the nature of finding ``collisions'' -- that is, multiple >> inputs which >> hash to the same value; it is still unlikely for an attacker to >> be able >> to determine the exact original input given a hash value. >> " > > I fail to see how the man page is incorrect here. What do you think > it should > be saying instead? Nothing. This is philosophy, which goes far beyond the scope of man pages. As a security researcher, it's fun to spend years poking at a problem until you find a way to exploit it, and the meaning doesn't change if the exploit takes all of the computing resources that existed in the known universe up to last year. In the real world, these 'attacks' have little meaning. The common uses of MD5 as applied to the average FreeBSD consumer consist of adding some amount of assurance that the bits said user just downloaded are indeed the bits (s)he wanted to download. The probability of someone compromising one or more servers, replacing the compressed tar image with another compressed tar image of the SAME LENGTH that is still valid and that manages to do much the same work as the original, plus some nefarious additional function, is infinitesimally small. In theory, theory is better than practice, but in practice, it never is. The one direction the FreeBSD Project should take from this discussion is that cryptography, like any form of security, is an arms race. Utilities that use cryptography for protection should plan on being able to use newer ciphers from very beginning, because what we have now will, in practice, NEVER be enough tomorrow, for some tomorrow. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com From owner-freebsd-security@FreeBSD.ORG Wed Dec 5 01:44:52 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A596D16A468 for ; Wed, 5 Dec 2007 01:44:52 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id 6E63613C465 for ; Wed, 5 Dec 2007 01:44:52 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 13800 invoked from network); 4 Dec 2007 19:44:52 -0600 Received: from 124-170-55-25.dyn.iinet.net.au (HELO localhost) (124.170.55.25) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 4 Dec 2007 19:44:52 -0600 Date: Wed, 5 Dec 2007 12:44:45 +1100 From: Norberto Meijome To: Iang Message-ID: <20071205124445.792e8fd5@meijome.net> In-Reply-To: <47554B7B.90803@iang.org> References: <20071203154412.461d0faf@meijome.net> <4754D6C2.3030005@freebsd.org> <47554B7B.90803@iang.org> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Colin Percival Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2007 01:44:52 -0000 On Tue, 04 Dec 2007 13:43:39 +0100 Iang wrote: > Perhaps, 1st two paras: > > > ============== > Md5 is a cryptographic message digest algorithm. It takes > as input a message of arbitrary length and produces as > output a 128-bit ``fingerprint'' or ``digest'' of the input. > Such algorithms are intended for applications where a > large file must be ``compressed'' in a secure manner, > suitable as a digital signature or as an input to a > public-key cryptosystem for digital signature or encryption > purposes. > > MD5 is no longer recommended as a cryptographic message > digest algorithm, although it functions very well as a big > checksum. It is now feasible (2004) to produce two messages > having the same MD5 message digest (``collision'' attack), > and attacks of this nature are getting better and faster. > It is still conjectured to be computationally infeasible > (2007) to produce any message having a given prespecified > target message digest (``preimage'' attack). > ============== > > > > It's worth checking carefully ... discussing the minutiae of > cryptographic algorithms is like angels dancing on a pin. thanks Iang - looks good to me. btw, i just checked man 3 md5 , and it may need updating - it refers to 1999.. " MD5 has not yet (1999-02-11) been broken, but sufficient attacks have been made that its security is in some doubt.... " B _________________________ {Beto|Norberto|Numard} Meijome Commitment is active, not passive. Commitment is doing whatever you can to bring about the desired result. Anything less is half-hearted. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. From owner-freebsd-security@FreeBSD.ORG Fri Dec 7 08:19:55 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 551E116A418 for ; Fri, 7 Dec 2007 08:19:55 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: from grupposervizi.it (mail1.tagetik.com [85.18.71.243]) by mx1.freebsd.org (Postfix) with SMTP id 8C49D13C461 for ; Fri, 7 Dec 2007 08:19:54 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: (qmail 15227 invoked by uid 453); 7 Dec 2007 08:19:53 -0000 Received: from [192.9.210.26] (HELO noel.grupposervizi.it) (192.9.210.26) by grupposervizi.it (qpsmtpd/0.31.1) with ESMTP; Fri, 07 Dec 2007 09:19:53 +0100 Message-ID: <4759022A.4020105@libero.it> Date: Fri, 07 Dec 2007 09:19:54 +0100 From: Raffaele De Lorenzo User-Agent: Thunderbird 2.0.0.9 (X11/20071204) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "raffaele.delorenzo" Subject: Added native socks support to libc in FreeBSD 7 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Dec 2007 08:19:55 -0000 Hi, i added a native (client) Socks V4/V5 support inside FreeBSD libc library. The work is based of my project (see http://csocks.altervista.org) CSOCKS. You can get it here: http://csocks.altervista.org/download/FreeBSD_libc.tar.gz CHANGES: I changed the file: /usr/src/lib/libc/Makefile I added the Directory: /usr/src/lib/libc/socks They contains the files: csocks.c csocks.h csocks.conf.5 csocks.1 Makefile.inc I added the configuration file (csocks.conf in the /etc/ directory) /usr/src/etc/ INSTALL ISTRUCTIONS: copy the Makefile in /usr/src/lib/libc/ copy the directory socks in /usr/src/lib/libc/ touch /etc/csocks.conf recompile the libc and install it (cd /usr/src/lib/libc && make && make install) I Tested it in FreeBSD 7 only on i386 cheers Raffaele