From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 12:43:51 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03DBF16A41A; Tue, 4 Dec 2007 12:43:51 +0000 (UTC) (envelope-from iang@iang.org) Received: from skaro.afraid.org (skaro.afraid.org [212.169.1.61]) by mx1.freebsd.org (Postfix) with ESMTP id 061EB13C469; Tue, 4 Dec 2007 12:43:50 +0000 (UTC) (envelope-from iang@iang.org) Received: from zhukov.local (localhost.cthulhu.dircon.co.uk [127.0.0.1]) by skaro.afraid.org (Postfix) with ESMTP id 77FF75D23; Tue, 4 Dec 2007 12:43:41 +0000 (GMT/BST) Message-ID: <47554B7B.90803@iang.org> Date: Tue, 04 Dec 2007 13:43:39 +0100 From: Iang User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Colin Percival References: <20071203154412.461d0faf@meijome.net> <4754D6C2.3030005@freebsd.org> In-Reply-To: <4754D6C2.3030005@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 12:43:51 -0000 Colin Percival wrote: > Norberto Meijome wrote: >> should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : >> >> " >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have >> been made that its security is in some doubt. The attacks on MD5 are in >> the nature of finding ``collisions'' -- that is, multiple inputs which >> hash to the same value; it is still unlikely for an attacker to be able >> to determine the exact original input given a hash value. >> " > > I fail to see how the man page is incorrect here. What do you think it should > be saying instead? Perhaps, 1st two paras: ============== Md5 is a cryptographic message digest algorithm. It takes as input a message of arbitrary length and produces as output a 128-bit ``fingerprint'' or ``digest'' of the input. Such algorithms are intended for applications where a large file must be ``compressed'' in a secure manner, suitable as a digital signature or as an input to a public-key cryptosystem for digital signature or encryption purposes. MD5 is no longer recommended as a cryptographic message digest algorithm, although it functions very well as a big checksum. It is now feasible (2004) to produce two messages having the same MD5 message digest (``collision'' attack), and attacks of this nature are getting better and faster. It is still conjectured to be computationally infeasible (2007) to produce any message having a given prespecified target message digest (``preimage'' attack). ============== It's worth checking carefully ... discussing the minutiae of cryptographic algorithms is like angels dancing on a pin. iang