Re: Report of collision-generation with MD5

guy_at_device.dyndns.org
Date: 08/25/04

  • Next message: Brooks Davis: "Re: Report of collision-generation with MD5" 
    Date: Wed, 25 Aug 2004 21:51:50 +0200 (CEST)
To: Mike Tancsa <mike@sentex.net>

    On 18-Aug-2004 Mike Tancsa wrote:
    > As I have no crypto background to evaluate some of the (potentially wild
    > and erroneous) claims being made in the popular press* (eg
    > http://news.com.com/2100-1002_3-5313655.html see quote below), one thing
    > that comes to mind is the safety of ports. If someone can pad an archive
    > to come up with the same MD5 hash, this would challenge the security of
    > the FreeBSD ports system no ?

    I _believe_ answer is "no", because i _think_ the FreeBSD ports system also
    verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see
    what made me think that).

    Padding would modify archive size. Finding a backdoored version that both
    satisfy producing the same hash and being the same size is probably not
    impossible, but how many years would it take ?

    Now, i may be wrong. Any enlightement welcome. 

    --
        Guy
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Brooks Davis: "Re: Report of collision-generation with MD5"