Re: [Gnu-arch-users] Re: MD5 is broken

[Karel Gardas]

On Wed, 16 Mar 2005, Andrew Suffield wrote:

> On Wed, Mar 16, 2005 at 07:57:15PM +0100, Karel Gardas wrote:
> > On Wed, 16 Mar 2005, Andrew Suffield wrote:
> >
> > > On Wed, Mar 16, 2005 at 12:46:28PM +0100, Karel Gardas wrote:
> > > > Sorry! That's just my short-cut of the whole problem. As I've already
> > > > written I don't agree fully with Ivan's statements, but this does not
> > > > change anything on the fact that MD5 is broken.
> > >
> > > MD5 is not broken. That's a myth. Stop spreading it.
> >
> > Perhaps `MD5 is broken' is not the best description of the problem, but
> > let say `MD5 is not collision free'. Is this better for you? i.e. there is
> > a possibility to find two values which hash to the same hash without using
> > brute force attack.
>
> That is the case for all known hashing algorithms. Uninteresting distinction.

What? You can find relatively easily (i.e. not brute force attack) two
different values with the same hash for "all known hashing algorithms"?
Could you be so kind and let us know more details about your research in
this domain?

> > > > Yes, I agree, but combining two hashes from which one is considered 
> > > > broken
> > > > and one is considered weak these days is IMHO less secure than using one
> > > > hash which is considered secure.
> > >
> > > Your opinion is stupid and wrong, and there are no hashes which are
> > > 'considered secure' anyway.
> >
> > 'considered secure' means 'considered more secure than X' in this context.
> > Anyway, thanks for your polite `Your opinion is stupid and wrong'. I've
> > just thought that as a long time Arch user I can spread some of my fears
> > with more broader Arch community and I hope such possibility will be
> > preserved in the future.
>
> Please don't, people are stupid enough already. This kind of nonsense,
> and complete absence of logic, is unproductive and unwelcome.

I'm afraid there should be some misunderstanding going here. I hope I read
paper by Mr. Klima correctly, but:

``Note that our method works for any initialization vector. It can be
abused in forging signatures of software packages and digital certificates
as some papers show ([4], [5], [6]).''

``Due to the briefness of research we did not go further in speeding up
the search for second blocks as we did for the first one, even though we
reached the complexity significantly lower than 2 42 (according to [3]).
The fact that we are able to find the collision in 8 hours using the PC
notebook attests that. According to [1], the search for the second block
should be 12 - 240 times faster than searching for the first block. That
would yield a collision in 2 minutes instead of 8 hours on a notebook.''

``It is shown in [4] that a single collision is enough to create a pair of
different self-extracting archives with identical hash value.''

So let say, there is a way how to create new tar.gz archive which will
have the same MD5 hash value as the old tar.gz archive.
(http://cryptography.hyperlink.cz/2004/otherformats.html). As I understand
this, this is just a proof that Arch security model based on MD5 is weak
if not completely broken. As I've already written using SHA-1 adds some
security, but even SHA-1 is considered weak hash function these days:
http://lwn.net/Articles/127667/

Or am I completely mistaken here? If so please I would appreciate if you
could be so kind and correct my mistake(s).

Thank you very much!
Karel
--
Karel Gardas                  address@hidden
ObjectSecurity Ltd.           http://www.objectsecurity.com