svn commit: r186836 - head/sbin/md5

Colin Percival cperciva at
Tue Jan 6 11:25:24 PST 2009

Author: cperciva
Date: Tue Jan  6 19:25:24 2009
New Revision: 186836

  Strengthen some of the language concerning attacks on MD5, in light of the
  recent demonstration of a forged SSL certificate.  Add text pointing out
  that SHA-1 is at least theoretically broken.  Add a recommendation that
  new applications use SHA-256.
  MFC after:	1 month


Modified: head/sbin/md5/md5.1
--- head/sbin/md5/md5.1	Tue Jan  6 19:00:12 2009	(r186835)
+++ head/sbin/md5/md5.1	Tue Jan  6 19:25:24 2009	(r186836)
@@ -49,15 +49,23 @@ key under a public-key cryptosystem such
 .Tn RSA .
 .Tn MD5
-has not yet (2007-03-05) been broken, but sufficient attacks have been
-made that its security is in some doubt.
-The attacks on
+has been completely broken as far as finding collisions is
+concerned, and should not be relied upon to produce unique outputs.
+This also means that
 .Tn MD5
-are in the nature of finding
-.Dq collisions
-\(em that is, multiple
-inputs which hash to the same value; it is still unlikely for an attacker
-to be able to determine the exact original input given a hash value.
+should not be used as part of a cryptographic signature scheme.
+At the current time (2009-01-06) there is no publicly known method to
+"reverse" MD5, i.e., to find an input given a hash value.
+.Tn SHA-1
+currently (2009-01-06) has no known collisions, but an attack has been
+found which is faster than a brute-force search, placing the security of
+.Tn SHA-1
+in doubt.
+It is recommended that all new applications use
+.Tn SHA-256
+instead of one of the other hash functions.
 The following options may be used in any combination and must
 precede any files named on the command line.

More information about the svn-src-head mailing list