Hi everyone,
Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ .
should some kind of advisory be sent to advise people not to rely solely on MD5
checksums? Maybe an update to the man page is due ? :
"
MD5 has not yet (2001-09-03) been broken, but sufficient attacks have
been made that its security is in some doubt. The attacks on MD5 are in
the nature of finding ``collisions'' -- that is, multiple inputs
which
hash to the same value; it is still unlikely for an attacker to be able
to determine the exact original input given a hash value.
"
Cheers,
B
_________________________
{Beto|Norberto|Numard} Meijome
If you find a solution and become attached to it, the solution may become your
next problem.
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
On Mon, 3 Dec 2007, Norberto Meijome wrote:> Hi everyone, > > Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : > > " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > "Some measures are already taken: - FreeBSD ports use not only MD5 but SHA256 additionaly - Same applied for FreeBSD ISO images Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely > on MD5 checksums? Maybe an update to the man page is due ? :This is very old news. Most tools and systems seem to have switched to SHA variants: GPG (e.g., as used to sign FreeBSD security advisories) uses SHA1; ports distinfo files use SHA256; etc. The SHA variants have also been shown to be weaker than expected, too, but they're stronger than MD5, and it's not really clear at this point that there's anything better yet. The cryptographers are working on it: http://www.nist.gov/hash-competition I'm not sure why this made it to the front page of Slashdot again; identical attacks were on the front page of Slashdot three years ago (see the links at the bottom of your own URL...). Anyone in a position to understand what's going on here already knew. And anyone who doesn't understand these results is not going to be able to make any effective use of an advisory, and they're just going to get scared over nothing. Therefore, I don't think any kind of advisory is warranted. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFHU65xswXMWWtptckRAp1qAKC5pGONKG3pdY11yzduGN0MYRlIwACgqKkd 3YhDBot1SAI4ALuOPi12hWQ=8gRM -----END PGP SIGNATURE-----
Norberto Meijome wrote:> Hi everyone, > > Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? :my 2c worth: The attack is somewhat subtle, and doesn't really apply to the use that is currently made of MD5. The attack with MD5 is that if you can create your own text, you can create 2 texts with the same MD5. That however is very different to you creating a new text with the same MD5 as my text. It is the latter that is normal usage. In this case, if you are distributing your code with an MD5 signature so others can check it, it is still not a useful attack. MD5 is still good for that. Having said that, the general warning is more or less correct; move to a longer hash, if designing new apps. However, it gets messier, as you need to chose a replacement: * SHA1 is good "for now", but expected to suffer in a few short years. No point in picking that. * SHA256 and friends are also under some sort of skeptical cloud, although they are likely good for a lot longer (ask 3 cryptographers for 7 different answers here). While it could be good to pick SHA256, etc, there isn't that total 100% theoretical pareto-complete confidence that cryptographers insist on... * To address this, NIST just a couple of months back announced a SHA3 competition. This will in the space of maybe 4-6 years announce a new generation hash. Can you wait for that? There are then a handful of strategies that might help: a. switch to SHA256 now, and then SHA3 in 5 years time. b. limp along on MD5 and plan on SHA3 when it is available. c. add "hash agility" to all programs and allow apps to follow their desires. Which you follow depends on where you are in the crypto-paranoia curve. Unless the app is an actual vector of validated attacks, I'd suggest b. If you are part of the community and like inflicting crypto turmoil on your users for fun and pleasure, do c. If you are some big company and have to answer to others' ideas of compliance, do a.> " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > "That's fine as a description of the problem. What it lacks is any advice as to what an application developer should do about it. A tough issue :) iang
Norberto Meijome wrote:> should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : > > " > MD5 has not yet (2001-09-03) been broken, but sufficient attacks have > been made that its security is in some doubt. The attacks on MD5 are in > the nature of finding ``collisions'' -- that is, multiple inputs which > hash to the same value; it is still unlikely for an attacker to be able > to determine the exact original input given a hash value. > "I fail to see how the man page is incorrect here. What do you think it should be saying instead? Colin Percival FreeBSD Security Officer
Colin Percival wrote:>> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have >> been made that its security is in some doubt. The attacks on MD5 are in >> the nature of finding ``collisions'' -- that is, multiple inputs which >> hash to the same value; it is still unlikely for an attacker to be able >> to determine the exact original input given a hash value. >> " > > I fail to see how the man page is incorrect here. What do you think it should > be saying instead?I would drop the statement altogether since it is not accurate for MD5 signatures of binary packages and tarballs. At the very least define the specific scenarios under which MD5 can be broken and drop the "its security is in some doubt" claim. Vague statements about crypto are worse than none at all. -- Roger Marquis
Colin Percival asked:> Norberto Meijome wrote: >> should some kind of advisory be sent to advise people not to rely >> solely on MD5 checksums? Maybe an update to the man page is due ? : >> >> " >> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have >> been made that its security is in some doubt. The attacks on >> MD5 are in >> the nature of finding ``collisions'' -- that is, multiple >> inputs which >> hash to the same value; it is still unlikely for an attacker to >> be able >> to determine the exact original input given a hash value. >> " > > I fail to see how the man page is incorrect here. What do you think > it should > be saying instead?Nothing. This is philosophy, which goes far beyond the scope of man pages. As a security researcher, it's fun to spend years poking at a problem until you find a way to exploit it, and the meaning doesn't change if the exploit takes all of the computing resources that existed in the known universe up to last year. In the real world, these 'attacks' have little meaning. The common uses of MD5 as applied to the average FreeBSD consumer consist of adding some amount of assurance that the bits said user just downloaded are indeed the bits (s)he wanted to download. The probability of someone compromising one or more servers, replacing the compressed tar image with another compressed tar image of the SAME LENGTH that is still valid and that manages to do much the same work as the original, plus some nefarious additional function, is infinitesimally small. In theory, theory is better than practice, but in practice, it never is. The one direction the FreeBSD Project should take from this discussion is that cryptography, like any form of security, is an arms race. Utilities that use cryptography for protection should plan on being able to use newer ciphers from very beginning, because what we have now will, in practice, NEVER be enough tomorrow, for some tomorrow. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com