From owner-freebsd-security@FreeBSD.ORG  Thu Aug 26 13:36:09 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 62FDA16A4CE
	for <freebsd-security@freebsd.org>;
	Thu, 26 Aug 2004 13:36:09 +0000 (GMT)
Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2E32943D58
	for <freebsd-security@freebsd.org>;
	Thu, 26 Aug 2004 13:36:09 +0000 (GMT)
	(envelope-from Jan.Grant@bristol.ac.uk)
Received: from mail.ilrt.bris.ac.uk ([137.222.16.62])
	by dirg.bris.ac.uk with esmtp (Exim 4.34)
	id 1C0KQ6-0005LR-PC; Thu, 26 Aug 2004 14:36:04 +0100
Received: from cmjg (helo=localhost)
	by mail.ilrt.bris.ac.uk with local-esmtp (Exim 4.34)
	id 1C0KPd-0002Wu-E0; Thu, 26 Aug 2004 14:35:34 +0100
Date: Thu, 26 Aug 2004 14:35:33 +0100 (BST)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender: cmjg@mail.ilrt.bris.ac.uk
To: Mike Tancsa <mike@sentex.net>
In-Reply-To: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2>
Message-ID: <Pine.GSO.4.61.0408261433110.17591@mail.ilrt.bris.ac.uk>
References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org>
	<6.1.2.0.0.20040818141732.04a6e060@64.7.153.2>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Jan Grant <Jan.Grant@bristol.ac.uk>
X-Spam-Score: 0.0
X-Spam-Level: /
cc: "Peter C. Lai" <sirmoo@cowbert.net>
cc: freebsd-security@freebsd.org
Subject: Re: Report of collision-generation with MD5
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2004 13:36:09 -0000

On Wed, 18 Aug 2004, Mike Tancsa wrote:

> If someone can pad an archive to come
> up with the same MD5 hash, this would challenge the security of the FreeBSD
> ports system no ?

You are correct. However, that is not what the paper is demonstrating. 
It's showing how to find two separate strings that you can tack on the 
end of a arbitrary file (the strings are parameterised by file contents) 
and the resulting MD5 hashes of both new files will be the same. They 
will not be the same as that of the original file.


-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/
That which does not kill us goes straight to our thighs.