2013/1/27, Jeffrey Walton <[email protected]>: > MD5 is completely broken, and has no cryptographic value. Yet it > appears to be used in cryptographic routines.
Follow-up: MD5's weaknesses aren't a problem for BOINC. 1. Passwords are stored in the server, and sent from the client to the server, in a completely insecure way. To be clear: it has as much security as using plaintext, despite using MD5. Changing the hash algorithm won't solve that. 2. Authentication for everyday requests doesn't use the password anyway. The password is only used when you attach the project, to get the "account key" (a randomly-generated MD5-looking hex string), and then the account key is used for all further communication, without hashing or challenge-response or anything. This string has the additional property that, unlike passwords, users cannot change it; so if it's compromised you're doomed forever. 3. Project executables are signed by RSA-encrypting a MD5 hash of the file. To break this you need a second-preimage attack. MD5 has known collision attacks that make it useless for anything needing collision-resistance, but the best known preimage attack brings the complexity from a 2^128 brute-force to 2^123. That's still *completely* infeasible. With current attacks and hardware, the Sun will turn into a red giant *long* before you can make a file that has the same MD5 hash as an existing BOINC science app. In summary, client-server authentication is completely insecure and it's not MD5's fault, and executable signing is secure despite MD5. "Your software will never be so secure that the easiest means of attack comes down to the hashing algorithm" -- Cody Brocious -- Nicolás _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
