MD5 Collisions...
Iang
iang at iang.org
Mon Dec 3 05:59:53 PST 2007
Norberto Meijome wrote:
> Hi everyone,
>
> Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ .
>
> should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? :
my 2c worth:
The attack is somewhat subtle, and doesn't really apply to
the use that is currently made of MD5.
The attack with MD5 is that if you can create your own text,
you can create 2 texts with the same MD5. That however is
very different to you creating a new text with the same MD5
as my text. It is the latter that is normal usage.
In this case, if you are distributing your code with an MD5
signature so others can check it, it is still not a useful
attack. MD5 is still good for that.
Having said that, the general warning is more or less
correct; move to a longer hash, if designing new apps.
However, it gets messier, as you need to chose a replacement:
* SHA1 is good "for now", but expected to suffer in a few
short years. No point in picking that.
* SHA256 and friends are also under some sort of skeptical
cloud, although they are likely good for a lot longer (ask 3
cryptographers for 7 different answers here). While it
could be good to pick SHA256, etc, there isn't that total
100% theoretical pareto-complete confidence that
cryptographers insist on...
* To address this, NIST just a couple of months back
announced a SHA3 competition. This will in the space of
maybe 4-6 years announce a new generation hash. Can you
wait for that?
There are then a handful of strategies that might help:
a. switch to SHA256 now, and then SHA3 in 5 years time.
b. limp along on MD5 and plan on SHA3 when it is available.
c. add "hash agility" to all programs and allow apps to
follow their desires.
Which you follow depends on where you are in the
crypto-paranoia curve.
Unless the app is an actual vector of validated attacks, I'd
suggest b. If you are part of the community and like
inflicting crypto turmoil on your users for fun and
pleasure, do c. If you are some big company and have to
answer to others' ideas of compliance, do a.
> "
> MD5 has not yet (2001-09-03) been broken, but sufficient attacks have
> been made that its security is in some doubt. The attacks on MD5 are in
> the nature of finding ``collisions'' -- that is, multiple inputs which
> hash to the same value; it is still unlikely for an attacker to be able
> to determine the exact original input given a hash value.
> "
That's fine as a description of the problem. What it lacks
is any advice as to what an application developer should do
about it. A tough issue :)
iang
More information about the freebsd-security
mailing list