Date: Wed, 25 Aug 2004 16:08:11 -0600 From: Scott Gerhardt <scott@g-it.ca> To: guy@device.dyndns.org Cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 Message-ID: <40BEB77B-F6E3-11D8-B9B9-000393801C60@g-it.ca> In-Reply-To: <XFMail.20040825215150.guy@device.dyndns.org> References: <XFMail.20040825215150.guy@device.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > On 18-Aug-2004 Mike Tancsa wrote: >> As I have no crypto background to evaluate some of the (potentially >> wild >> and erroneous) claims being made in the popular press* (eg >> http://news.com.com/2100-1002_3-5313655.html see quote below), one >> thing >> that comes to mind is the safety of ports. If someone can pad an >> archive >> to come up with the same MD5 hash, this would challenge the security >> of >> the FreeBSD ports system no ? > > I _believe_ answer is "no", because i _think_ the FreeBSD ports system > also > verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to > see > what made me think that). > > Padding would modify archive size. Finding a backdoored version that > both > satisfy producing the same hash and being the same size is probably not > impossible, but how many years would it take ? > > > Now, i may be wrong. Any enlightement welcome. > > -- > Guy > _______________________________________________ > Why not adopt the OpenBSD method for ports. OpenBSD supplies 3 hash/digests for downloaded binaries and sources. Those OpenBSD guys leave nothing to chance. ports/databases/postgresql] scott% cat distinfo MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf RMD160 (postgresql-7.3.5.tar.gz) = 83d5f713d7bfcf3ca57fb2bcc88d052982911d73 SHA1 (postgresql-7.3.5.tar.gz) = fbdab6ce38008a0e741f8b75e3b57633a36ff5ff Thanks, -- Scott A. Gerhardt, P.Geo. Gerhardt Information Technologies
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40BEB77B-F6E3-11D8-B9B9-000393801C60>