Re: [Gnu-arch-users] crypto features and 1.2preX

gnu-arch-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] crypto features and 1.2preX

From:	Florian Weimer
Subject:	Re: [Gnu-arch-users] crypto features and 1.2preX
Date:	Wed, 7 Jan 2004 05:26:41 +0100
User-agent:	Mutt/1.5.4i

Brian May wrote:

> 1. I have heard, from other mailing lists, that it is feasible to
> alter a file *and* *its* length* in such a way that it will produce
> exactly the same MD5 Checksum. The moral of the story was you can't
> rely on the MD5 checksum by itself, you need the MD5Sum + Length of
> the data.

As far as I know, this problem is specific to the old version 3 public
key format of OpenPGP.  In this case, two values are concatenated, and a
single hash is computed over that concatenation, so it's possible to
alter the boundary between the two values.

> Here, the signature is made with my key, but tla doesn't realize that
> the creator field was forged.

This has to be handled in the signature verification script.  You
probably want to use a separate keyring and disable the web-of-trust
mechanism (after checking key validity manually).

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Gnu-arch-users] crypto features and 1.2preX, Brian May, 2004/01/06
- Re: [Gnu-arch-users] crypto features and 1.2preX, Andrew Suffield, 2004/01/06
- Re: [Gnu-arch-users] crypto features and 1.2preX, Florian Weimer <=
- Re: [Gnu-arch-users] crypto features and 1.2preX, Brian May, 2004/01/07
  - Re: [Gnu-arch-users] crypto features and 1.2preX, Colin Walters, 2004/01/07

Prev by Date: Re: [Gnu-arch-users] extended attributes
Next by Date: [Gnu-arch-users] Re: [PATCH] arch speedups on big trees
Previous by thread: Re: [Gnu-arch-users] crypto features and 1.2preX
Next by thread: Re: [Gnu-arch-users] crypto features and 1.2preX
Index(es):
- Date
- Thread