Report of collision-generation with MD5
guy at device.dyndns.org
guy at device.dyndns.org
Wed Aug 25 12:51:56 PDT 2004
On 18-Aug-2004 Mike Tancsa wrote:
> As I have no crypto background to evaluate some of the (potentially wild
> and erroneous) claims being made in the popular press* (eg
> http://news.com.com/2100-1002_3-5313655.html see quote below), one thing
> that comes to mind is the safety of ports. If someone can pad an archive
> to come up with the same MD5 hash, this would challenge the security of
> the FreeBSD ports system no ?
I _believe_ answer is "no", because i _think_ the FreeBSD ports system also
verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see
what made me think that).
Padding would modify archive size. Finding a backdoored version that both
satisfy producing the same hash and being the same size is probably not
impossible, but how many years would it take ?
Now, i may be wrong. Any enlightement welcome.
--
Guy
More information about the freebsd-security
mailing list