Re: MD5 Collisions...

On Tuesday 04 December 2007 08:27:54 am Roger Marquis wrote:
Colin Percival wrote:
MD5 has not yet (2001-09-03) been broken, but sufficient attacks have
been made that its security is in some doubt. The attacks on MD5
are in the nature of finding ``collisions'' -- that is, multiple inputs
which hash to the same value; it is still unlikely for an attacker to be
able to determine the exact original input given a hash value.
"

I fail to see how the man page is incorrect here. What do you think it
should be saying instead?

I would drop the statement altogether since it is not accurate for MD5
signatures of binary packages and tarballs. At the very least define the
specific scenarios under which MD5 can be broken and drop the "its security
is in some doubt" claim. Vague statements about crypto are worse than none
at all.

I think some of the concerns expressed here seem to be focused on one
particular use case of MD5. The main place FreeBSD seems to use MD5's is in
verifying tarballs for ports. In this particular application MD5 + checking
the length of the file + SHA256 is more than enough to ensure that the
tarball hasn't been tampered with. In all reality, MD5 alone is enough for
most cases, since generating meaningful collisions so far has required
control of the original as well.

If you wanted to get really picky, MD5-ing a file is really the wrong way to
go about it in the first place, since there's no stopping an attacker from
replacing the tarball AND the MD5 sum on the download site together....as a
port maintainer when I update a port how do I really know the files the
project has published are what they intended? Unless they are digitally
signed I really don't.

At any rate, there is some doubt about MD5. Since collisions have been
discovered you can't make assertions about further problems being found in
it. Perhaps someday someone will find a way to generate arbitrary
same-length meaningful collisions...who's to know.

--
Thanks,

Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB

Attachment: signature.asc
Description: This is a digitally signed message part.

Relevant Pages

  • Re: [Newbie] Advice needed regarding SHA0 SHA1 MD5
    ... If you have some stored passwords hashed with md5, don't panic, ... choosing a more modern hash function. ... attacker has to find a string that matches it). ... Sha1 is still what pretty much everyone still uses. ...
    (sci.crypt)
  • Re: Lost password + MD5 ?
    ... done on a run-of-the-mill PC in 1 second. ... No attacker will attack md5 for this, they run some crack-like guesser and that's it. ... string. ...
    (comp.lang.php)
  • Which properties of MD5 are broken/in-between/unbroken?
    ... Has anyone analyzed the status of different properties of MD5, ... * Random collisions with fixed IV have been found for one IV. ... The attacker can be assumed to have ... My initial reaction was that the token computation is so convoluted ...
    (sci.crypt)
  • Re: RSA signing security
    ... Since MD5 ... You're missing one very important point, as the attacker I don't care if the ... hashes, have the loggers generate a huge number of values, and I think ... You missed an important factor here, there are multiple loggers, so the ...
    (sci.crypt)
  • Re: The Chinese MD5 attack
    ... >> with a certain MD5 hash, can you find anothe file B which has the same ... >with the same MD5 sum. ... IF the attacker can generate both files, ... picture originally produced by the camera. ...
    (sci.crypt)