Bug#788783: openssh-client: uses MD5 for key fingerprints

[Mark Wooding <mdw@distorted.org.uk>]

"brian m. carlson" <sandals@crustytoothpaste.net> writes:

> MD5 is not suitable for any application requiring collision resistance,
> such as a key fingerprint.  Please switch to one of the SHA-2 values
> instead, or upgrade to OpenSSH 6.8, which fixes this problem.

Fortunately, your premise is incorrect.  Key fingerprints do /not/
require collision resistance, merely second-preimage resistance.

In finding a collision, the adversary comes up with two messages
simultaneously, such that both of them have the same hash.  So
collisions are only a concern when both the original message whose
authenticity you wanted to check /and/ the claimed copy of it obtained
over an inauthentic channel might have been constructed by an
adversary.

We use key fingerprints to check that we have correct copies of public
keys.  Presumably this is because we're going to trust the public key in
some way.  But if we're going to do that, we're making the /assumption/
that the proper public key was /not/ generated by the adversary -- since
otherwise we'd be crazy to trust it for anything.  And therefore it
can't have been the output of some clever collision-finding algorithm,
because only someone we shouldn't trust would do that.

The remaining possibility is that the adversary has managed to come up
with a new public key (and matching private key) with the same
fingerprint as the target key, which was generated by an honest party.
But that's finding a second preimage, and it's /way/ harder than finding
collisions.

Currently, there are no known second-preimage attacks against MD5.
Ditching MD5 is a good idea, because attacks only get better with time.
But the sky hasn't fallen yet.

-- [mdw]