Date: Tue, 4 Dec 2007 23:11:45 +1100 From: Norberto Meijome <freebsd@meijome.net> To: Colin Percival <cperciva@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... Message-ID: <20071204231145.0c4be9b7@meijome.net> In-Reply-To: <4754D6C2.3030005@freebsd.org> References: <20071203154412.461d0faf@meijome.net> <4754D6C2.3030005@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 03 Dec 2007 20:25:38 -0800
Colin Percival <cperciva@freebsd.org> wrote:
> Norberto Meijome wrote:
> > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? :
> >
> > "
> > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have
> > been made that its security is in some doubt. The attacks on MD5 are in
> > the nature of finding ``collisions'' -- that is, multiple inputs which
> > hash to the same value; it is still unlikely for an attacker to be able
> > to determine the exact original input given a hash value.
> > "
>
> I fail to see how the man page is incorrect here. What do you think it should
> be saying instead?
hi Colin,
yeah..the more I read it I see that it isn't wrong... maybe it's something to do with "not yet (2001....)" ...seems rather dated. (the advisory idea was a bad one, i agree, oopsie :) )
I understand that the final nail in MD5's coffin hasn't been found yet ( ie, we cannot "determine the exact original input given a hash value") , but the fact that certain magic bytes can be found (rather quickly) so that any 2 given binaries end up as collisions seems , from my unlearned POV, more serious or sinister than what the text above implies.
We put some strong kind of protection when vulnerabilities are found, in the form of portaudit and failing to build ports that have issues - some stronger words of warning (I am not sure what, precisely, but maybe pointing to a URL on freebsd.org with up to date info on this ? ) could, possibly, be warranted.
Of course, it is only my point of view :)
thanks for your time,
B
_________________________
{Beto|Norberto|Numard} Meijome
It is better to remain silent and be thought a fool, than to speak, and remove all doubt.
I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071204231145.0c4be9b7>