On Sun, Jul 13, 2014 at 08:35:56AM +0900, Joel Rees wrote: > MD5 has been broken for a small number of applications. Its status is > questionable for the rest, but if we want to help break it completely, > let's get all the distros that insist on still using MD5 to use it, > not just for signing, but for encrypting their distribution images. The point that you miss is that a chosen plaintext attack is not dependent on the secret key in use. It's an attack against the algorithm itself. If we sign publically available data (be it Debian packages, CD images, or this email) with a given key, we really aren't giving our adversaries anything that they can't create for themselves. Keys are cheap to generate. If an adversary wants to perform chosen plaintext analysis, they can do so today with their own keys and with all the common public datasets they want. Getting "all the distros that insist on still using MD5 to use it, not just for signing, but for encrypting their distribution images" won't change anything. (Not to mention that it shows a fundamental misunderstanding of what a digest algorithm like md5 actually is.) noah
Attachment:
signature.asc
Description: Digital signature