28 messages in org.freebsd.freebsd-securityReport of collision-generation with MD5| From | Sent On | Attachments |
|---|---|---|
| David Wolfskill | Aug 18, 2004 10:24 am | |
| Peter C. Lai | Aug 18, 2004 11:02 am | |
| Claudiu | Aug 18, 2004 11:08 am | |
| Mike Tancsa | Aug 18, 2004 11:16 am | |
| Peter C. Lai | Aug 18, 2004 11:26 am | |
| Peter C. Lai | Aug 18, 2004 11:29 am | |
| mari...@ipad.com.br | Aug 18, 2004 12:26 pm | |
| Matthew Seaman | Aug 18, 2004 1:35 pm | |
| Chris Doherty | Aug 18, 2004 1:54 pm | |
| Brett Glass | Aug 18, 2004 4:46 pm | |
| Fernando Gleiser | Aug 18, 2004 5:22 pm | |
| Borja Marcos | Aug 19, 2004 1:15 am | |
| Borja Marcos | Aug 19, 2004 2:45 am | |
| Jan Grant | Aug 19, 2004 3:28 am | |
| Tig | Aug 19, 2004 7:48 am | |
| Poul-Henning Kamp | Aug 19, 2004 7:53 am | |
| Mohacsi Janos | Aug 19, 2004 8:40 am | |
| George F. Costanzo | Aug 19, 2004 4:12 pm | |
| gu...@device.dyndns.org | Aug 25, 2004 12:56 pm | |
| Brooks Davis | Aug 25, 2004 1:21 pm | |
| Scott Gerhardt | Aug 25, 2004 3:07 pm | |
| Mohacsi Janos | Aug 26, 2004 12:46 am | |
| Peter Jeremy | Aug 26, 2004 1:09 am | |
| Oliver Eikemeier | Aug 26, 2004 1:39 am | |
| Neo-Vortex | Aug 26, 2004 1:54 am | |
| Jan Grant | Aug 26, 2004 6:41 am | |
| Chuck Swiger | Aug 26, 2004 1:19 pm | |
| Oliver Eikemeier | Aug 26, 2004 3:08 pm |
| Subject: | Report of collision-generation with MD5 | |
|---|---|---|
| From: | Scott Gerhardt (sco...@g-it.ca) | |
| Date: | Aug 25, 2004 3:07:58 pm | |
| List: | org.freebsd.freebsd-security | |
On 18-Aug-2004 Mike Tancsa wrote:
As I have no crypto background to evaluate some of the (potentially wild and erroneous) claims being made in the popular press* (eg http://news.com.com/2100-1002_3-5313655.html see quote below), one thing that comes to mind is the safety of ports. If someone can pad an archive to come up with the same MD5 hash, this would challenge the security of the FreeBSD ports system no ?
I _believe_ answer is "no", because i _think_ the FreeBSD ports system also verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see what made me think that).
Padding would modify archive size. Finding a backdoored version that both satisfy producing the same hash and being the same size is probably not impossible, but how many years would it take ?
Now, i may be wrong. Any enlightement welcome.
-- Guy
_______________________________________________
Why not adopt the OpenBSD method for ports. OpenBSD supplies 3 hash/digests for downloaded binaries and sources. Those OpenBSD guys leave nothing to chance.
ports/databases/postgresql] scott% cat distinfo MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf RMD160 (postgresql-7.3.5.tar.gz) = 83d5f713d7bfcf3ca57fb2bcc88d052982911d73 SHA1 (postgresql-7.3.5.tar.gz) = fbdab6ce38008a0e741f8b75e3b57633a36ff5ff
Thanks,
-- Scott A. Gerhardt, P.Geo. Gerhardt Information Technologies