On 9050 day of my life Matthew Dempsky wrote: > On Tue, 2005-03-15 at 20:03 +0600, Ivan Boldyrev wrote: >> Arch uses MD5 internally. But MD5 is not weak hash function, it was >> attacked many times, and recently first practical attack was created: > > That attack you cite is just at finding two documents that have the same > collision, which isn't a very useful attack against an arch archive.
Sure? For example, someone broke in Tom Lord's computer and can change everything I want. Attackers creates some sexy patch for TLA (for example, support of multiple hashes from libgcrypt). Then I create another patch that stoles gpg passwords that people type when using signed archives. Two patches with same MD5 signature. Quotation from paper of Czech scientist: ,---- | It is shown in [4] that a single collision is enough to create a pair | of different self-extracting archives with identical hash value. | | [4] Vlastimil Klima: Several observation regarding Chinese collision | of MD5, 3rd International Scientific Conference Security and | Protection of Information. `---- Then attackers send message to TLA devel list: "I have sexy patch! Get it from http://somewhere.tld/\{arch\}/my-tla-archive"; Tom Lord merges sexy patch. Even if he will re-sign patch, MD5 sum in ./checksum will be same because *.patches.tar.gz is same. Then attacker changes correct patch with malicious one behind a scene. And nobody will notice, because MD5 sum is same, and patch is signed by Tom Lord. Of course, we can refuse merge patches from unknown sources. But then TLA is not distributed anymore. Or we can merge these patches, but then TLA is not secure anymore. Distributed or secure -- choose one. Yep, it is bit harder than just exploiting pre-image attack. But what is harder: break-in Tom's computer or creating sexy patch? I think, former. Then this attack is no more than two times harder than attack with pre-image. > If someone finds a second pre-image attack against md5, then arch > will be in trouble (but so will just about anything else). MD5 is considered insecure for many years. Arch is already in trouble because Arch developers do not understand security. I am not security expert too, but designing security attack against Arch took less time than writing this message. >> GNU Arch must move away from MD5 ASAP. > > You're right, arch /does/ need to switch to something more secure > eventually, but please don't spread FUD exaggerating the consequences of > this most recent finding. Think twice before pressing "Send" button. -- Ivan Boldyrev Is 'morning' a gerund?
pgpDUNqbvmyYg.pgp
Description: PGP signature
_______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
