LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Point is - you know nothing about cryptograpy, right ?

Point is - you know nothing about cryptograpy, right ?

Posted Dec 17, 2007 22:46 UTC (Mon) by khim (subscriber, #9252)
In reply to: SquirrelMail 1.4.13 released - older versions compromised by wahern
Parent article: SquirrelMail 1.4.13 released - older versions compromised

I'm not familiar enough with the weakness of MD5 to judge the complexity of an attack which doesn't just use a suffix. It may be simply slightly marginally more difficult to find a collision if you modify the tail instead of appending; I dunno.

It's quite easy to find a collision if you can just modify something in the middle of file (like piece of documentation noone cares about or just some picture). But all such attacks will only work if "black hat" can alter the tarball after it's created and official signature is created. If "black hat" can alter your tarball at this stage then you have a lot of much bigger problems then just MD5 collision: he or she can just add backdoor directly to source, create tarball and sign it - why bother with MD5 collisions at all ?

(Log in to post comments)

Point is - you know nothing about cryptograpy, right ?

Posted Dec 18, 2007 6:33 UTC (Tue) by njs (guest, #40338) [Link] 

>if "black hat" can alter the tarball after it's created and official signature is created.

I think you mean, "after [the tarball] is created *but before* the official signature is
created".  I.e., they need to perform some sort of complicated swaparoo on the people doing
the security announcement, and if you can do that, then you don't need a hash collision.
MD5's weaknesses are just completely irrelevant to this use case.

Maybe if we try another way of explaining... when people say MD5 is broken, what that means
(for now) is that I can: take that tarball from the website with hash A, and then use it to
create two new, different tarballs, that have the same hash B.  Critically, A and B will be
different (and I can't pick what B will be ahead of time).  So: there are *three* files here:
1) the original, valid tarball, which has hash A, 2) one of my "evil" "copies", which has hash
B, 3) the other one of my "evil" "copies", which also has hash B.

The result is that if you have a file with hash B, you don't know whether that's file (2) or
(3) above, but if you have a file with hash A, then you can be certain that it is file (1).
The security announcement is there to tell you what hash A is.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds