Re: [Gnu-arch-users] Re: MD5 is broken

[Karel Gardas]

On Wed, 16 Mar 2005, Peter Conrad wrote:

> Am Mittwoch, 16. M?rz 2005 11:51 schrieb Karel Gardas:
> > On Wed, 16 Mar 2005, Peter Conrad wrote:
> > > Hi,
> > >
> > > On Wed, Mar 16, 2005 at 12:26:30PM +0600, Ivan Boldyrev wrote:
> > > > Tom Lord merges sexy patch.  Even if he will re-sign patch,
> > > > MD5 sum in ./checksum will be same because *.patches.tar.gz is same.
> > >
> > > this is wrong. If Tom merges your patch, he will automatically create
> > > additional log entries in his own branch. This (among other things, like
> > > changed timestamps) will lead to a file with a different MD5 sum.
> >
> > I'm afraid the whole message is a bit different: hack the mirror, hack the
> > patch while keeping MD5 intack and let your attack to software X spread
> > thorough the world.
>
> I understood Ivan's scenario like this:

[...]

Sorry! That's just my short-cut of the whole problem. As I've already
written I don't agree fully with Ivan's statements, but this does not
change anything on the fact that MD5 is broken.

> > I've just now looked at tla and baz and found that at least mirror on:
> > http://bazaar.canonical.com/archives/address@hidden/ uses also
> > SHA-1 hashes. Since SHA-1 is also considered weak these days, this
> > does not add that much security, but certainly at least something
> > before arch move to some more secure hash implementation.
>
> Combining different hashes in the signature should make attacks a lot
> more difficult, because an attacker would have to produce collisions
> for all hashes at the same time. Of course, *all*  hashes must be
> validated when checking the signature, instead of validating only one
> of them.

Yes, I agree, but combining two hashes from which one is considered broken
and one is considered weak these days is IMHO less secure than using one
hash which is considered secure.

Cheers,
Karel
--
Karel Gardas                  address@hidden
ObjectSecurity Ltd.           http://www.objectsecurity.com