Re: Time to replace MD5?
* Henrique de Moraes Holschuh:
>> Size information doesn't buy you that much.
>
> When we are talking about a binary blob that matches the *same* md5sum? Yes,
> it does. Causing a MD5 colision with a message of the same size is far more
> difficult.
Oh, in this case, please show us a collision of two messages of 641
and 642 bytes. 8-)
AFAIK, the currently published attacks do not work well against the
final block with padding, so it's still not possible to change the
length.
>> > AND the fact that it needs to be a valid .deb archive, they are
>> > probably more than strong enough.
>>
>> That, and the "evil twin" package would have to be prepared by the
>> securty team as well, which isn't a relevant scenario (because they
>
> Would it?
With the currently published attacks, yes. If significantly better
attacks appear, they might also apply to message digests in the same
family, so this is only a slightly convincing argument for replacing
MD5 with SHA-1 (or even SHA-256 ). Actually, there isn't much Debian
can do, other than to wait. We don't share many of the problems
because or protocols are proprietary, and we've got a working software
distribution process to end users. Lots of other stuff (especially in
the IETF context, think appliances) needs to preserve interoperability
with other people's code, or can't be field-upgraded.
Reply to: