Report of collision-generation with MD5

Brooks Davis brooks at one-eyed-alien.net
Wed Aug 25 13:15:02 PDT 2004 

On Wed, Aug 25, 2004 at 09:51:50PM +0200, guy at device.dyndns.org wrote:
> 
> On 18-Aug-2004 Mike Tancsa wrote:
> > As I have no crypto background to evaluate some of the (potentially wild 
> > and erroneous) claims being made in the popular press* (eg 
> > http://news.com.com/2100-1002_3-5313655.html see quote below), one thing 
> > that comes to mind is the safety of ports.  If someone can pad an archive
> > to come up with the same MD5 hash, this would challenge the security of
> > the FreeBSD ports system no ?
> 
> I _believe_ answer is "no", because i _think_ the FreeBSD ports system also
> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see
> what made me think that).
> 
> Padding would modify archive size. Finding a backdoored version that both
> satisfy producing the same hash and being the same size is probably not
> impossible, but how many years would it take ?

I suspect the fact that the files are compressed also adds significantly
to the difficultly since you don't have a whole lot of direct control
over the bytes of the archive.

Paranoia might suggest adding support for multiple hashes which would
vastly increase the difficulty of finding a collision (unless the hashes
used are broken in a very similar manner).  If someone can create a
.bz2 containing a trojen that matches size, MD5, and SHA1, we're
probably totally screwed anyway. ;-)  If this were done, adding a
tool to generate multiple hashes in one go would probably make the users
happier since just reading some of the dist files can take a while.

Hmm, one thing to think about might be making sure the various archive
formats are hard to pad with junk.  I think the stream based ones need
to allow zero pading at the end to support tapes, but it would be
intresting to see if other junk can end up in pading sections without
the archiver noticing.  If so, that would be a good thing to find a way
to detect.

-- Brooks

-- 
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040825/6f7cffc1/attachment.bin

More information about the freebsd-security mailing list