Re: Report of collision-generation with MD5

From: Scott Gerhardt (scott_at_g-it.ca)
Date: 08/26/04

  • Next message: Mohacsi Janos: "Re: Report of collision-generation with MD5" 
    Date: Wed, 25 Aug 2004 16:08:11 -0600
To: guy@device.dyndns.org

    >
    > On 18-Aug-2004 Mike Tancsa wrote:
    >> As I have no crypto background to evaluate some of the (potentially
    >> wild
    >> and erroneous) claims being made in the popular press* (eg
    >> http://news.com.com/2100-1002_3-5313655.html see quote below), one
    >> thing
    >> that comes to mind is the safety of ports. If someone can pad an
    >> archive
    >> to come up with the same MD5 hash, this would challenge the security
    >> of
    >> the FreeBSD ports system no ?
    >
    > I _believe_ answer is "no", because i _think_ the FreeBSD ports system
    > also
    > verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to
    > see
    > what made me think that).
    >
    > Padding would modify archive size. Finding a backdoored version that
    > both
    > satisfy producing the same hash and being the same size is probably not
    > impossible, but how many years would it take ?
    >
    >
    > Now, i may be wrong. Any enlightement welcome.
    >
    > --
    > Guy
    > _______________________________________________
    >

    Why not adopt the OpenBSD method for ports. OpenBSD supplies 3
    hash/digests for downloaded binaries and sources. Those OpenBSD guys
    leave nothing to chance.

    ports/databases/postgresql] scott% cat distinfo
    MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf
    RMD160 (postgresql-7.3.5.tar.gz) =
    83d5f713d7bfcf3ca57fb2bcc88d052982911d73
    SHA1 (postgresql-7.3.5.tar.gz) =
    fbdab6ce38008a0e741f8b75e3b57633a36ff5ff

    Thanks, 

    --
Scott A. Gerhardt, P.Geo.
Gerhardt Information Technologies
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Mohacsi Janos: "Re: Report of collision-generation with MD5"

    Relevant Pages

    • Re: OpenBSD LiveCD -- public beta
      ... ports, instead of window manager, this really help who will use the ... I can't rescue anything with KDE. ... I've said I can fix OpenBSD problems also with the cd40.iso. ... There are many Linux LiveCDs that could be used with Linux environments, ...
      (comp.unix.bsd.openbsd.misc)
    • Re: BSD Newbie - install VIM?
      ... Partway through the installation there was an error and it failed. ... which is included in the base ports infrastructure system. ... of wsconsctl(from which the OpenBSD version was derived) and see ... jose nazario, co-author, "Secure Architectures with OpenBSD" ...
      (comp.unix.bsd.openbsd.misc)
    • RE: URL and Content Filtering Proxy
      ... I found privoxy in the ports web section on OpenBSD! ... URL and Content Filtering Proxy ...
      (Security-Basics)
    • Re: Advanced Firewall Techniques
      ... I wonder where you got the idea that OpenBSD does not have a ports tree. ... I just downloaded ports via CVS and to my knowledge, ...
      (Security-Basics)
    • Re: Advanced Firewall Techniques
      ... FreeBSD i.e the ports where you can do a port upgrade with ease, ... for OpenBSD just cause it is said to be secure i would also look at the ... > attacks, DOS attacks and other ones I'm not mentiong? ...
      (Security-Basics)