md5 checksums used in DSA

To: debian-security@lists.debian.org
Subject: md5 checksums used in DSA
From: Bas Steendijk <beware@bircd.org>
Date: Sat, 11 Oct 2008 14:46:10 +0200
Message-id: <[🔎] 48F0A012.3000004@bircd.org>

MD5 is still used to produce file hashes in the DSA mails, for users toverify the integrity against errors and malicious intent. the use of PGPsigning further suggests the intent to protect against malicious intent.

MD5 should not be used for this purpose. MD5 collisions can be producedby individuals on meaningful files.


http://www.win.tue.nl/hashclash/Nostradamus/

demonstration: produced 10 different, meaningful, PDF documents with thesame MD5 hash to "predict" the winner of the 2008 US elections.


http://www.win.tue.nl/hashclash/TargetCollidingCertificates/

demonstration: X.509 certificates from 2 different owners with the sameMD5 hash


MD5 should be abandoned immediately in favor of a new hash.

2 possible candidates:

- SHA-1: the present day de-facto standard hash. no collisions have beenfound or published yet. it is currently broken to the extent that acollision can be produced with complexity 2^69. it is suggested that onecan produce collisions in 56 hour per collision, with custom hardwareworth USD 38 million.

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
recommendation is to not use it in new systems if possible.

- SHA-256: newer, bigger, hash function, not yet broken, should providesecurity for a very long time to come

Reply to:

Prev by Date: Koro Gabiola . Oporretan nago . Estoy de vacaciones
Next by Date: Re: Keeping the webserver safe
Previous by thread: Koro Gabiola . Oporretan nago . Estoy de vacaciones
Next by thread: RE: [SECURITY] [DSA 1653-1] New Linux 2.6.18 packages fix several vulnerabilities
Index(es):
- Date
- Thread