From owner-freebsd-security@FreeBSD.ORG Mon Dec 3 07:31:18 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6022D16A418 for ; Mon, 3 Dec 2007 07:31:18 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [193.6.222.241]) by mx1.freebsd.org (Postfix) with ESMTP id 36F6B13C474 for ; Mon, 3 Dec 2007 07:31:18 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [IPv6:::1]) by mail.ki.iif.hu (Postfix) with ESMTP id 748E884A5D; Mon, 3 Dec 2007 08:15:21 +0100 (CET) X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id TbU1m+QstSfn; Mon, 3 Dec 2007 08:15:18 +0100 (CET) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 9049984A56; Mon, 3 Dec 2007 08:15:18 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 8EFED84A53; Mon, 3 Dec 2007 08:15:18 +0100 (CET) Date: Mon, 3 Dec 2007 08:15:18 +0100 (CET) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Norberto Meijome In-Reply-To: <20071203154412.461d0faf@meijome.net> Message-ID: <20071203081159.J83729@mignon.ki.iif.hu> References: <20071203154412.461d0faf@meijome.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 07:31:18 -0000 On Mon, 3 Dec 2007, Norberto Meijome wrote: > Hi everyone, > > Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : > > " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > " Some measures are already taken: - FreeBSD ports use not only MD5 but SHA256 additionaly - Same applied for FreeBSD ISO images Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882