Date: Tue, 4 Dec 2007 09:07:45 -0600 From: Josh Paetzel <josh@tcbug.org> To: freebsd-security@freebsd.org Cc: Roger Marquis <marquis@roble.com> Subject: Re: MD5 Collisions... Message-ID: <200712040907.48394.josh@tcbug.org> In-Reply-To: <20071204142754.2F6362B228A@mx5.roble.com> References: <20071204120020.2CCA416A469@hub.freebsd.org> <20071204142754.2F6362B228A@mx5.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2696553.D45Aa6Ld8T Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 04 December 2007 08:27:54 am Roger Marquis wrote: > Colin Percival wrote: > >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > >> been made that its security is in some doubt. The attacks on MD5 > >> are in the nature of finding ``collisions'' -- that is, multiple inputs > >> which hash to the same value; it is still unlikely for an attacker to = be > >> able to determine the exact original input given a hash value. > >> " > > > > I fail to see how the man page is incorrect here. What do you think it > > should be saying instead? > > I would drop the statement altogether since it is not accurate for MD5 > signatures of binary packages and tarballs. At the very least define the > specific scenarios under which MD5 can be broken and drop the "its securi= ty > is in some doubt" claim. Vague statements about crypto are worse than no= ne > at all. I think some of the concerns expressed here seem to be focused on one=20 particular use case of MD5. The main place FreeBSD seems to use MD5's is i= n=20 verifying tarballs for ports. In this particular application MD5 + checkin= g=20 the length of the file + SHA256 is more than enough to ensure that the=20 tarball hasn't been tampered with. In all reality, MD5 alone is enough for= =20 most cases, since generating meaningful collisions so far has required=20 control of the original as well. If you wanted to get really picky, MD5-ing a file is really the wrong way t= o=20 go about it in the first place, since there's no stopping an attacker from= =20 replacing the tarball AND the MD5 sum on the download site together....as a= =20 port maintainer when I update a port how do I really know the files the=20 project has published are what they intended? Unless they are digitally=20 signed I really don't. At any rate, there is some doubt about MD5. Since collisions have been=20 discovered you can't make assertions about further problems being found in= =20 it. Perhaps someday someone will find a way to generate arbitrary=20 same-length meaningful collisions...who's to know. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart2696553.D45Aa6Ld8T Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHVW1EJvkB8SevrssRAl2CAJ4kSxVEDjLY1N852BJPIY4Qigjw4ACgiQAc uTb/NZoKGpn1ZlMuxctotWM= =2QyV -----END PGP SIGNATURE----- --nextPart2696553.D45Aa6Ld8T--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712040907.48394.josh>