Re: MD5 Collisions...
--nextPart2696553.D45Aa6Ld8T
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Tuesday 04 December 2007 08:27:54 am Roger Marquis wrote:
> Colin Percival wrote:
> >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have
> >> been made that its security is in some doubt. The attacks on MD5
> >> are in the nature of finding ``collisions'' -- that is, multiple inputs
> >> which hash to the same value; it is still unlikely for an attacker to =
be
> >> able to determine the exact original input given a hash value.
> >> "
> >
> > I fail to see how the man page is incorrect here. What do you think it
> > should be saying instead?
>
> I would drop the statement altogether since it is not accurate for MD5
> signatures of binary packages and tarballs. At the very least define the
> specific scenarios under which MD5 can be broken and drop the "its securi=
ty
> is in some doubt" claim. Vague statements about crypto are worse than no=
ne
> at all.
I think some of the concerns expressed here seem to be focused on one=20
particular use case of MD5. The main place FreeBSD seems to use MD5's is i=
n=20
verifying tarballs for ports. In this particular application MD5 + checkin=
g=20
the length of the file + SHA256 is more than enough to ensure that the=20
tarball hasn't been tampered with. In all reality, MD5 alone is enough for=
=20
most cases, since generating meaningful collisions so far has required=20
control of the original as well.
If you wanted to get really picky, MD5-ing a file is really the wrong way t=
o=20
go about it in the first place, since there's no stopping an attacker from=
=20
replacing the tarball AND the MD5 sum on the download site together....as a=
=20
port maintainer when I update a port how do I really know the files the=20
project has published are what they intended? Unless they are digitally=20
signed I really don't.
At any rate, there is some doubt about MD5. Since collisions have been=20
discovered you can't make assertions about further problems being found in=
=20
it. Perhaps someday someone will find a way to generate arbitrary=20
same-length meaningful collisions...who's to know.
=2D-=20
Thanks,
Josh Paetzel
PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB
--nextPart2696553.D45Aa6Ld8T
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQBHVW1EJvkB8SevrssRAl2CAJ4kSxVEDjLY1N852BJPIY4Qigjw4ACgiQAc
uTb/NZoKGpn1ZlMuxctotWM=
=2QyV
-----END PGP SIGNATURE-----
--nextPart2696553.D45Aa6Ld8T--
討論串 (同標題文章)
完整討論串 (本文為第 12 之 18 篇):