Date: Tue, 4 Dec 2007 09:07:45 -0600 From: Josh Paetzel <josh@tcbug.org> To: freebsd-security@freebsd.org Cc: Roger Marquis <marquis@roble.com> Subject: Re: MD5 Collisions... Message-ID: <200712040907.48394.josh@tcbug.org> In-Reply-To: <20071204142754.2F6362B228A@mx5.roble.com> References: <20071204120020.2CCA416A469@hub.freebsd.org> <20071204142754.2F6362B228A@mx5.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Tuesday 04 December 2007 08:27:54 am Roger Marquis wrote: > Colin Percival wrote: > >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > >> been made that its security is in some doubt. The attacks on MD5 > >> are in the nature of finding ``collisions'' -- that is, multiple inputs > >> which hash to the same value; it is still unlikely for an attacker to be > >> able to determine the exact original input given a hash value. > >> " > > > > I fail to see how the man page is incorrect here. What do you think it > > should be saying instead? > > I would drop the statement altogether since it is not accurate for MD5 > signatures of binary packages and tarballs. At the very least define the > specific scenarios under which MD5 can be broken and drop the "its security > is in some doubt" claim. Vague statements about crypto are worse than none > at all. I think some of the concerns expressed here seem to be focused on one particular use case of MD5. The main place FreeBSD seems to use MD5's is in verifying tarballs for ports. In this particular application MD5 + checking the length of the file + SHA256 is more than enough to ensure that the tarball hasn't been tampered with. In all reality, MD5 alone is enough for most cases, since generating meaningful collisions so far has required control of the original as well. If you wanted to get really picky, MD5-ing a file is really the wrong way to go about it in the first place, since there's no stopping an attacker from replacing the tarball AND the MD5 sum on the download site together....as a port maintainer when I update a port how do I really know the files the project has published are what they intended? Unless they are digitally signed I really don't. At any rate, there is some doubt about MD5. Since collisions have been discovered you can't make assertions about further problems being found in it. Perhaps someday someone will find a way to generate arbitrary same-length meaningful collisions...who's to know. -- Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHVW1EJvkB8SevrssRAl2CAJ4kSxVEDjLY1N852BJPIY4Qigjw4ACgiQAc uTb/NZoKGpn1ZlMuxctotWM= =2QyV -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712040907.48394.josh>