From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 18:16:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC21316A4CE for ; Wed, 18 Aug 2004 18:16:45 +0000 (GMT) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D85443D3F for ; Wed, 18 Aug 2004 18:16:45 +0000 (GMT) (envelope-from mike@sentex.net) Received: from localhost (localhost.sentex.ca [127.0.0.1]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id i7IIGik1096597; Wed, 18 Aug 2004 14:16:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 96528-01; Wed, 18 Aug 2004 14:16:44 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id i7IIGiRM096575; Wed, 18 Aug 2004 14:16:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i7IIGb3a006690; Wed, 18 Aug 2004 14:16:37 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> X-Sender: mdtpop@64.7.153.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Wed, 18 Aug 2004 14:21:18 -0400 To: "Peter C. Lai" From: Mike Tancsa In-Reply-To: <20040818175804.GI346@cowbert.net> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at avscan2b cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 18:16:46 -0000 At 01:58 PM 18/08/2004, Peter C. Lai wrote: >Well while collisions are cryptographically significant, they don't >necessarily impact any operational security of the the hash. (Since the >collision merely means that there are possibly two inputs which will hash to >the same digest). As I have no crypto background to evaluate some of the (potentially wild and erroneous) claims being made in the popular press* (eg http://news.com.com/2100-1002_3-5313655.html see quote below), one thing that comes to mind is the safety of ports. If someone can pad an archive to come up with the same MD5 hash, this would challenge the security of the FreeBSD ports system no ? * "MD5's flaws that have been identified in the past few days mean that an attacker can generate one hash collision in a few hours on a standard PC. To write a specific back door and cloak it with the same hash collision may be much more time intensive. " ---Mike