Date: Wed, 25 Aug 2004 13:16:40 -0700 From: Brooks Davis <brooks@one-eyed-alien.net> To: guy@device.dyndns.org Cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 Message-ID: <20040825201640.GB25259@odin.ac.hmc.edu> In-Reply-To: <XFMail.20040825215150.guy@device.dyndns.org> References: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> <XFMail.20040825215150.guy@device.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--O5XBE6gyVG5Rl6Rj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 25, 2004 at 09:51:50PM +0200, guy@device.dyndns.org wrote: >=20 > On 18-Aug-2004 Mike Tancsa wrote: > > As I have no crypto background to evaluate some of the (potentially wil= d=20 > > and erroneous) claims being made in the popular press* (eg=20 > > http://news.com.com/2100-1002_3-5313655.html see quote below), one thin= g=20 > > that comes to mind is the safety of ports. If someone can pad an archi= ve > > to come up with the same MD5 hash, this would challenge the security of > > the FreeBSD ports system no ? >=20 > I _believe_ answer is "no", because i _think_ the FreeBSD ports system al= so > verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see > what made me think that). >=20 > Padding would modify archive size. Finding a backdoored version that both > satisfy producing the same hash and being the same size is probably not > impossible, but how many years would it take ? I suspect the fact that the files are compressed also adds significantly to the difficultly since you don't have a whole lot of direct control over the bytes of the archive. Paranoia might suggest adding support for multiple hashes which would vastly increase the difficulty of finding a collision (unless the hashes used are broken in a very similar manner). If someone can create a =2Ebz2 containing a trojen that matches size, MD5, and SHA1, we're probably totally screwed anyway. ;-) If this were done, adding a tool to generate multiple hashes in one go would probably make the users happier since just reading some of the dist files can take a while. Hmm, one thing to think about might be making sure the various archive formats are hard to pad with junk. I think the stream based ones need to allow zero pading at the end to support tapes, but it would be intresting to see if other junk can end up in pading sections without the archiver noticing. If so, that would be a good thing to find a way to detect. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --O5XBE6gyVG5Rl6Rj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBLPOnXY6L6fI4GtQRAp4qAKDS1JoXjmkwZo3S6CaMPLZJHFBOVgCgiCzw qfo945swO/VjmAqNT2Pt2wY= =qf7/ -----END PGP SIGNATURE----- --O5XBE6gyVG5Rl6Rj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040825201640.GB25259>