Date: Wed, 25 Aug 2004 21:51:50 +0200 (CEST) From: guy@device.dyndns.org To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 Message-ID: <XFMail.20040825215150.guy@device.dyndns.org> In-Reply-To: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18-Aug-2004 Mike Tancsa wrote: > As I have no crypto background to evaluate some of the (potentially wild > and erroneous) claims being made in the popular press* (eg > http://news.com.com/2100-1002_3-5313655.html see quote below), one thing > that comes to mind is the safety of ports. If someone can pad an archive > to come up with the same MD5 hash, this would challenge the security of > the FreeBSD ports system no ? I _believe_ answer is "no", because i _think_ the FreeBSD ports system also verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see what made me think that). Padding would modify archive size. Finding a backdoored version that both satisfy producing the same hash and being the same size is probably not impossible, but how many years would it take ? Now, i may be wrong. Any enlightement welcome. -- Guy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20040825215150.guy>