Re: Time to replace MD5?

[Florian Weimer <fw@deneb.enyo.de>]

* Steffen Schulz:

> On 070613 at 10:43, Florian Weimer wrote:
>> > AND the fact that it needs to be a valid .deb archive, they are
>> > probably more than strong enough.
>
> This is actually not much of a problem:
>
> http://www.cits.rub.de/MD5Collisions/
>
> One example how to create two files with same hash that act
> differently. Should work with most active content.

The problem is ambiguous content, not the collision.  This has been
thoroughly debunked, I don't know why they continue publishing this.

It's easy to exploit their fictional document signing process without
creating an MD5 collision, which strongly suggests ("proves") that the
process itself is flawed.

Since you are located at RUB, could you please make sure that they
correct their analysis?

> Kaminsky did the same with self-extracting executables:
>
> http://www.doxpara.com/md5_someday.pdf

Yeah, but the evil twins must be created *by* *the* *same* *party*.
In the Debian case, this party is already trusted, so the current
attacks make no difference.

>> That, and the "evil twin" package would have to be prepared by the
>> securty team as well, which isn't a relevant scenario (because they
>> could put a backdoor in the original without attacking the hash).

> So apt-get signatures use a secure hash function?

Secure against currently known attacks, yes.  And we can distribute a
new hash function to clients pretty easily (something which is quite
unusual).

> With the above results, it would be possible to officially distribute
> nice behaving software but present specific targets with modified
> packages that do evil.

Yeah, right.  Guess what?  Distributors can do this even without using
MD5 attacks.