LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SquirrelMail 1.4.13 released - older versions compromised

SquirrelMail 1.4.13 released - older versions compromised

Posted Dec 17, 2007 17:27 UTC (Mon) by wahern (subscriber, #37304)
In reply to: SquirrelMail 1.4.13 released - older versions compromised by tetromino
Parent article: SquirrelMail 1.4.13 released - older versions compromised 

As for toy examples, I fail to see how two X.509 certificates which collide, and two PDF
documents which collide, to be toy examples. In neither case where the structures or content
arbitrary from the standpoint of the recipient viewer. Indeed, the published attack requires
on its face  only that you can add an arbitrary suffix of maximum 512 bits (64 bytes). That
gives you tremendously wide latitude.

Indeed, I fail to see how there could be such a thing as a toy example, anyhow. The purpose of
a cryptographic hash is that you can make reasonable declarations about the qualities of the
algorithm without reference or qualification to the structure or content of the input. You
cannot do that now, so its no longer a secure hash. Period.

Why people are defending this is beyond me. Its broken. People shouldn't be using it,
particularly for such a use (as opposed to simply for one-wayness).

(Log in to post comments)

Can you cite the sources, please

Posted Dec 17, 2007 22:40 UTC (Mon) by khim (subscriber, #9252) [Link]

The purpose of a cryptographic hash is that you can make reasonable declarations about the qualities of the algorithm without reference or qualification to the structure or content of the input.

Sorry, but this is piece of bullshit. The main purpose of cryptographic hash is to guarantee immutability of signed data in most cases (including distribution case). It's called Second preimage resistance. And both MD5 and SHA1 are not broken in sense that second preimage attack is implementable.

What the hoople is all about then ? MD5 and SHA1 were found not collision resistant. Yes, there are exist application where this is requirement. For example you can not use it to prove that you've sent file A and not file B. But signing of tarbals is not such an application: if attacker can alter original tarball on ftp site before it's signed up - you have much bigger problem then just problems with collisions.

While it becomes easier and easier to find collisions preimage attack is still quite hard (preimage attack is not just "slightly harder" then collision attack - it's "billions of billion times harder" then collision attack initially and thus still far from being cracked). Of course now it's not the time to be complacent (I'm pretty sure the next stage will be preimage attack), but from practical viewpoint MD5 is still not broken...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds