Report of collision-generation with MD5
Scott Gerhardt
scott at g-it.ca
Wed Aug 25 15:08:16 PDT 2004
>
> On 18-Aug-2004 Mike Tancsa wrote:
>> As I have no crypto background to evaluate some of the (potentially
>> wild
>> and erroneous) claims being made in the popular press* (eg
>> http://news.com.com/2100-1002_3-5313655.html see quote below), one
>> thing
>> that comes to mind is the safety of ports. If someone can pad an
>> archive
>> to come up with the same MD5 hash, this would challenge the security
>> of
>> the FreeBSD ports system no ?
>
> I _believe_ answer is "no", because i _think_ the FreeBSD ports system
> also
> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to
> see
> what made me think that).
>
> Padding would modify archive size. Finding a backdoored version that
> both
> satisfy producing the same hash and being the same size is probably not
> impossible, but how many years would it take ?
>
>
> Now, i may be wrong. Any enlightement welcome.
>
> --
> Guy
> _______________________________________________
>
Why not adopt the OpenBSD method for ports. OpenBSD supplies 3
hash/digests for downloaded binaries and sources. Those OpenBSD guys
leave nothing to chance.
ports/databases/postgresql] scott% cat distinfo
MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf
RMD160 (postgresql-7.3.5.tar.gz) =
83d5f713d7bfcf3ca57fb2bcc88d052982911d73
SHA1 (postgresql-7.3.5.tar.gz) =
fbdab6ce38008a0e741f8b75e3b57633a36ff5ff
Thanks,
--
Scott A. Gerhardt, P.Geo.
Gerhardt Information Technologies
More information about the freebsd-security
mailing list