From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 15:07:50 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 117CC16A419 for ; Tue, 4 Dec 2007 15:07:50 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id D98D013C465 for ; Tue, 4 Dec 2007 15:07:49 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 3CD197C49; Tue, 4 Dec 2007 09:07:49 -0600 (CST) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTP id D82DA10AA88B; Tue, 4 Dec 2007 09:07:48 -0600 (CST) From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 4 Dec 2007 09:07:45 -0600 User-Agent: KMail/1.9.7 References: <20071204120020.2CCA416A469@hub.freebsd.org> <20071204142754.2F6362B228A@mx5.roble.com> In-Reply-To: <20071204142754.2F6362B228A@mx5.roble.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2696553.D45Aa6Ld8T"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200712040907.48394.josh@tcbug.org> Cc: Roger Marquis Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 15:07:50 -0000 --nextPart2696553.D45Aa6Ld8T Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 04 December 2007 08:27:54 am Roger Marquis wrote: > Colin Percival wrote: > >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > >> been made that its security is in some doubt. The attacks on MD5 > >> are in the nature of finding ``collisions'' -- that is, multiple inputs > >> which hash to the same value; it is still unlikely for an attacker to = be > >> able to determine the exact original input given a hash value. > >> " > > > > I fail to see how the man page is incorrect here. What do you think it > > should be saying instead? > > I would drop the statement altogether since it is not accurate for MD5 > signatures of binary packages and tarballs. At the very least define the > specific scenarios under which MD5 can be broken and drop the "its securi= ty > is in some doubt" claim. Vague statements about crypto are worse than no= ne > at all. I think some of the concerns expressed here seem to be focused on one=20 particular use case of MD5. The main place FreeBSD seems to use MD5's is i= n=20 verifying tarballs for ports. In this particular application MD5 + checkin= g=20 the length of the file + SHA256 is more than enough to ensure that the=20 tarball hasn't been tampered with. In all reality, MD5 alone is enough for= =20 most cases, since generating meaningful collisions so far has required=20 control of the original as well. If you wanted to get really picky, MD5-ing a file is really the wrong way t= o=20 go about it in the first place, since there's no stopping an attacker from= =20 replacing the tarball AND the MD5 sum on the download site together....as a= =20 port maintainer when I update a port how do I really know the files the=20 project has published are what they intended? Unless they are digitally=20 signed I really don't. At any rate, there is some doubt about MD5. Since collisions have been=20 discovered you can't make assertions about further problems being found in= =20 it. Perhaps someday someone will find a way to generate arbitrary=20 same-length meaningful collisions...who's to know. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart2696553.D45Aa6Ld8T Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHVW1EJvkB8SevrssRAl2CAJ4kSxVEDjLY1N852BJPIY4Qigjw4ACgiQAc uTb/NZoKGpn1ZlMuxctotWM= =2QyV -----END PGP SIGNATURE----- --nextPart2696553.D45Aa6Ld8T--