[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnu-arch-users] Re: MD5 is broken
|
From: |
Ivan Boldyrev |
|
Subject: |
[Gnu-arch-users] Re: MD5 is broken |
|
Date: |
Wed, 16 Mar 2005 12:26:30 +0600 |
|
User-agent: |
Gnus/5.110003 (No Gnus v0.3) Emacs/21.4 (gnu/linux) |
On 9050 day of my life Matthew Dempsky wrote:
> On Tue, 2005-03-15 at 20:03 +0600, Ivan Boldyrev wrote:
>> Arch uses MD5 internally. But MD5 is not weak hash function, it was
>> attacked many times, and recently first practical attack was created:
>
> That attack you cite is just at finding two documents that have the same
> collision, which isn't a very useful attack against an arch archive.
Sure?
For example, someone broke in Tom Lord's computer and can change
everything I want.
Attackers creates some sexy patch for TLA (for example, support of
multiple hashes from libgcrypt). Then I create another patch that
stoles gpg passwords that people type when using signed archives.
Two patches with same MD5 signature. Quotation from paper of Czech
scientist:
,----
| It is shown in [4] that a single collision is enough to create a pair
| of different self-extracting archives with identical hash value.
|
| [4] Vlastimil Klima: Several observation regarding Chinese collision
| of MD5, 3rd International Scientific Conference Security and
| Protection of Information.
`----
Then attackers send message to TLA devel list: "I have sexy patch!
Get it from http://somewhere.tld/\{arch\}/my-tla-archive";
Tom Lord merges sexy patch. Even if he will re-sign patch,
MD5 sum in ./checksum will be same because *.patches.tar.gz is same.
Then attacker changes correct patch with malicious one behind a scene.
And nobody will notice, because MD5 sum is same, and patch is signed
by Tom Lord.
Of course, we can refuse merge patches from unknown sources. But then
TLA is not distributed anymore. Or we can merge these patches, but
then TLA is not secure anymore. Distributed or secure -- choose one.
Yep, it is bit harder than just exploiting pre-image attack. But what
is harder: break-in Tom's computer or creating sexy patch? I think,
former. Then this attack is no more than two times harder than attack
with pre-image.
> If someone finds a second pre-image attack against md5, then arch
> will be in trouble (but so will just about anything else).
MD5 is considered insecure for many years. Arch is already in trouble
because Arch developers do not understand security.
I am not security expert too, but designing security attack against
Arch took less time than writing this message.
>> GNU Arch must move away from MD5 ASAP.
>
> You're right, arch /does/ need to switch to something more secure
> eventually, but please don't spread FUD exaggerating the consequences of
> this most recent finding.
Think twice before pressing "Send" button.
--
Ivan Boldyrev
Is 'morning' a gerund?
pgpQmJqIO98IJ.pgp
Description: PGP signature
- [Gnu-arch-users] MD5 is broken, Ivan Boldyrev, 2005/03/15
- Re: [Gnu-arch-users] MD5 is broken, Matthew Dempsky, 2005/03/16
- [Gnu-arch-users] Re: MD5 is broken,
Ivan Boldyrev <=
- Re: [Gnu-arch-users] Re: MD5 is broken, Andrew Suffield, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Karel Gardas, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Jan Hudec, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Tom Lord, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Karel Gardas, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Tom Lord, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Matthew Dempsky, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Andrew Suffield, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Karel Gardas, 2005/03/16
- Re: [Gnu-arch-users] Re: MD5 is broken, Peter Conrad, 2005/03/16