Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 03 Dec 2007 16:44:58 -0600
From:      Rich Murphey <Rich@Murphey.org>
To:        freebsd-security@freebsd.org
Subject:   Re: MD5 Collisions...
Message-ID:  <475486EA.5080907@Murphey.org>
In-Reply-To: <47540774.5080805@iang.org>
References:  <20071203154412.461d0faf@meijome.net> <47540774.5080805@iang.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Here's a paper by Eric Thompson of AccessData on "MD5 collisions
and the impact on computer forensics" published in the journal
Digital Investigation.  It makes a similar argument that the MD5
collisions have very limited practical impact on current use for
evidence authentication in computer forensics.

http://www.acquisitiondata.com/white_papers/md5-collisions.pdf

Rich Murphey


Iang wrote:
> Norberto Meijome wrote:
>> Hi everyone,
>>
>> Not sure if you've read 
>> http://www.win.tue.nl/hashclash/SoftIntCodeSign/ .
>>
>> should some kind of advisory be sent to advise people not to rely 
>> solely on MD5 checksums? Maybe an update to the man page is due ? :
>
>
> my 2c worth:
>
> The attack is somewhat subtle, and doesn't really apply to the use 
> that is currently made of MD5.
>
> The attack with MD5 is that if you can create your own text, you can 
> create 2 texts with the same MD5.  That however is very different to 
> you creating a new text with the same MD5 as my text.  It is the 
> latter that is normal usage.
>
> In this case, if you are distributing your code with an MD5 signature 
> so others can check it, it is still not a useful attack.  MD5 is still 
> good for that.
>
> Having said that, the general warning is more or less correct; move to 
> a longer hash, if designing new apps.
>
> However, it gets messier, as you need to chose a replacement:
>
>  * SHA1 is good "for now", but expected to suffer in a few short 
> years.  No point in picking that.
>
>  * SHA256 and friends are also under some sort of skeptical cloud, 
> although they are likely good for a lot longer (ask 3 cryptographers 
> for 7 different answers here).  While it could be good to pick SHA256, 
> etc, there isn't that total 100% theoretical pareto-complete 
> confidence that cryptographers insist on...
>
>  * To address this, NIST just a couple of months back announced a SHA3 
> competition.  This will in the space of maybe 4-6 years announce a new 
> generation hash.  Can you wait for that?
>
> There are then a handful of strategies that might help:
>
> a.  switch to SHA256 now, and then SHA3 in 5 years time.
> b.  limp along on MD5 and plan on SHA3 when it is available.
> c.  add "hash agility" to all programs and allow apps to follow their 
> desires.
>
> Which you follow depends on where you are in the crypto-paranoia curve.
>
> Unless the app is an actual vector of validated attacks, I'd suggest 
> b.  If you are part of the community and like inflicting crypto 
> turmoil on your users for fun and pleasure, do c.  If you are some big 
> company and have to answer to others' ideas of compliance, do a.
>
>
>
>> "     MD5 has not yet (2001-09-03) been broken, but sufficient 
>> attacks have
>>      been made that its security is in some doubt.  The attacks on 
>> MD5 are in
>>      the nature of finding ``collisions'' -- that is, multiple inputs 
>> which
>>      hash to the same value; it is still unlikely for an attacker to 
>> be able
>>      to determine the exact original input given a hash value.
>> "
>
>
> That's fine as a description of the problem.  What it lacks is any 
> advice as to what an application developer should do about it.  A 
> tough issue :)
>
> iang
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to 
> "freebsd-security-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?475486EA.5080907>