From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 20:01:01 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5594316A41B for ; Tue, 4 Dec 2007 20:01:01 +0000 (UTC) (envelope-from wes@softweyr.com) Received: from smtp.omnis.com (smtp.omnis.com [216.239.128.26]) by mx1.freebsd.org (Postfix) with ESMTP id 3B3C613C448 for ; Tue, 4 Dec 2007 20:01:01 +0000 (UTC) (envelope-from wes@softweyr.com) Received: from smtp-a.omnis.com (smtp-a.omnis.com [216.239.128.237]) by smtp.omnis.com (Postfix) with ESMTP id 9887E5247 for ; Tue, 4 Dec 2007 11:43:29 -0800 (PST) Received: from scurvy.corp.bb (bbasa1.bakbone.com [209.126.247.190]) (Authenticated sender: wes@softweyr.com) by smtp-a.omnis.com (Postfix) with ESMTP id 25DD74008B7 for ; Tue, 4 Dec 2007 11:43:29 -0800 (PST) Message-Id: From: Wes Peters To: freebsd-security@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Tue, 4 Dec 2007 11:43:28 -0800 X-Mailer: Apple Mail (2.915) X-Mailman-Approved-At: Tue, 04 Dec 2007 20:16:55 +0000 Subject: Re: MD5 Collisions... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Dec 2007 20:01:01 -0000 Colin Percival asked: > Norberto Meijome wrote: >> should some kind of advisory be sent to advise people not to rely >> solely on MD5 checksums? Maybe an update to the man page is due ? : >> >> " >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have >> been made that its security is in some doubt. The attacks on >> MD5 are in >> the nature of finding ``collisions'' -- that is, multiple >> inputs which >> hash to the same value; it is still unlikely for an attacker to >> be able >> to determine the exact original input given a hash value. >> " > > I fail to see how the man page is incorrect here. What do you think > it should > be saying instead? Nothing. This is philosophy, which goes far beyond the scope of man pages. As a security researcher, it's fun to spend years poking at a problem until you find a way to exploit it, and the meaning doesn't change if the exploit takes all of the computing resources that existed in the known universe up to last year. In the real world, these 'attacks' have little meaning. The common uses of MD5 as applied to the average FreeBSD consumer consist of adding some amount of assurance that the bits said user just downloaded are indeed the bits (s)he wanted to download. The probability of someone compromising one or more servers, replacing the compressed tar image with another compressed tar image of the SAME LENGTH that is still valid and that manages to do much the same work as the original, plus some nefarious additional function, is infinitesimally small. In theory, theory is better than practice, but in practice, it never is. The one direction the FreeBSD Project should take from this discussion is that cryptography, like any form of security, is an arms race. Utilities that use cryptography for protection should plan on being able to use newer ciphers from very beginning, because what we have now will, in practice, NEVER be enough tomorrow, for some tomorrow. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com