From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 05:26:43 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20C5316A468 for ; Tue, 4 Dec 2007 05:26:43 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id E360C13C47E for ; Tue, 4 Dec 2007 05:26:42 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mr3so.prod.shaw.ca (pd3mr3so-qfe3.prod.shaw.ca [10.0.141.179]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JSI00B6ZCAWG6F0@l-daemon> for freebsd-security@freebsd.org; Mon, 03 Dec 2007 21:25:44 -0700 (MST) Received: from pn2ml6so.prod.shaw.ca ([10.0.121.150]) by pd3mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JSI00E86CAVO170@pd3mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Mon, 03 Dec 2007 21:25:44 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.201.197]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JSI00AFVCAVT540@l-daemon> for freebsd-security@freebsd.org; Mon, 03 Dec 2007 21:25:43 -0700 (MST) Received: (qmail 1257 invoked from network); Tue, 04 Dec 2007 04:25:38 +0000 Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1) by localhost with SMTP; Tue, 04 Dec 2007 04:25:38 +0000 Date: Mon, 03 Dec 2007 20:25:38 -0800 From: Colin Percival In-reply-to: <20071203154412.461d0faf@meijome.net> To: Norberto Meijome Message-id: <4754D6C2.3030005@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.95.5 References: <20071203154412.461d0faf@meijome.net> User-Agent: Thunderbird 2.0.0.9 (X11/20071117) Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 05:26:43 -0000 Norberto Meijome wrote: > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : > > " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > " I fail to see how the man page is incorrect here. What do you think it should be saying instead? Colin Percival FreeBSD Security Officer