Re: MD5 Collisions...



On Mon, 03 Dec 2007 20:25:38 -0800
Colin Percival <cperciva@xxxxxxxxxxx> wrote:

Norberto Meijome wrote:
should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? :

"
MD5 has not yet (2001-09-03) been broken, but sufficient attacks have
been made that its security is in some doubt. The attacks on MD5 are in
the nature of finding ``collisions'' -- that is, multiple inputs which
hash to the same value; it is still unlikely for an attacker to be able
to determine the exact original input given a hash value.
"

I fail to see how the man page is incorrect here. What do you think it should
be saying instead?

hi Colin,
yeah..the more I read it I see that it isn't wrong... maybe it's something to do with "not yet (2001....)" ...seems rather dated. (the advisory idea was a bad one, i agree, oopsie :) )

I understand that the final nail in MD5's coffin hasn't been found yet ( ie, we cannot "determine the exact original input given a hash value") , but the fact that certain magic bytes can be found (rather quickly) so that any 2 given binaries end up as collisions seems , from my unlearned POV, more serious or sinister than what the text above implies.

We put some strong kind of protection when vulnerabilities are found, in the form of portaudit and failing to build ports that have issues - some stronger words of warning (I am not sure what, precisely, but maybe pointing to a URL on freebsd.org with up to date info on this ? ) could, possibly, be warranted.

Of course, it is only my point of view :)

thanks for your time,
B
_________________________
{Beto|Norberto|Numard} Meijome

It is better to remain silent and be thought a fool, than to speak, and remove all doubt.

I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: MD5 for passwords
    ... how do attacks vary with the length of hashed string ... The password hash is NOT MD5, just as the old Unix crypt 3 is not des. ... MD5 password hashing system out there? ...
    (sci.crypt)
  • MD5 To Be Considered Harmful Someday
    ... I've been doing some analysis on MD5 collision announced by Wang et al. ... Yes, Virginia, there is no such thing as a safe hash ... attacks described in the paper. ... payload, but the payload is encrypted with AES. ...
    (sci.crypt)
  • MD5 To Be Considered Harmful Someday
    ... I've been doing some analysis on MD5 collision announced by Wang et al. ... Yes, Virginia, there is no such thing as a safe hash ... A tool, Stripwire, has been assembled to demonstrate some of the attacks ... payload, but the payload is encrypted with AES. ...
    (Bugtraq)
  • Re: Insecure Hash Algorithms (MD5) and NTLMv2
    ... > exagerated by the media. ... I know some byte chains for MD5 have already being ... > slightly longer if the hash has more bits, ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • Re: SHA-1 vs. triple-DES for password encryption?
    ... > reason I suggested MD5 is that Craig wanted to save bytes. ... truncated SHA1 hash than an MD5 hash. ... > algorithms were discarded after diff. ... but the best known attacks against a bunch of the AES ...
    (SecProg)