[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#6789: MD5 is broken
From: |
Bruno Haible |
Subject: |
bug#6789: MD5 is broken |
Date: |
Sun, 8 Aug 2010 15:26:15 +0200 |
User-agent: |
KMail/1.9.9 |
Simon Josefsson wrote:
> MD5 is broken, and
> finding collisions takes just seconds on normal PC. See:
> http://en.wikipedia.org/wiki/MD5#Security
Here is a suggested patch to improve the awareness of this issue in
coreutils.
- The documentation of md5sum currently says "modifying a file
so as to retain its MD5 [is] considered infeasible at the moment",
but the research results of 2008 mentioned in
<http://en.wikipedia.org/wiki/MD5#Security> showed how to manipulate
a digital certificate so that the validity of its MD5 signature can
be retained.
- The documentation of md5sum says "For more secure hashes, consider
using SHA-1 or SHA-2." Well, researchers have already discovered
security weaknesses in <http://en.wikipedia.org/wiki/SHA-1>, therefore
it does not seem adequate to recommend SHA-1 any more.
- The 'md5sum --help' output and, with it, the manual page are silent
about the security problems.
Here is a proposed patch to make this clearer.
2010-08-08 Bruno Haible <address@hidden>
md5sum: Put more emphasis on security weaknesses.
* doc/coreutils.texi (md5sum invocation): Mention currently known
security problems. Don't recommend SHA-1 as alternative.
* src/md5sum.c (usage): Mention that MD5 is not secure. Recommend
SHA-2 as alternative.
Reported by Simon Josefsson <address@hidden>.
--- doc/coreutils.texi.orig Sun Aug 8 15:13:06 2010
+++ doc/coreutils.texi Sun Aug 8 15:10:26 2010
@@ -3414,14 +3414,13 @@
Note: The MD5 digest is more reliable than a simple CRC (provided by
the @command{cksum} command) for detecting accidental file corruption,
as the chances of accidentally having two files with identical MD5
-are vanishingly small. However, it should not be considered truly
-secure against malicious tampering: although finding a file with a
-given MD5 fingerprint, or modifying a file so as to retain its MD5 are
-considered infeasible at the moment, it is known how to produce
-different files with identical MD5 (a ``collision''), something which
-can be a security issue in certain contexts. For more secure hashes,
-consider using SHA-1 or SHA-2. @xref{sha1sum invocation}, and
address@hidden utilities}.
+are vanishingly small. However, it should not be considered secure
+against malicious tampering: although finding a file with a given MD5
+fingerprint is considered infeasible at the moment, it is known how
+to modify certain files, including digital certificates, so that they
+appear valid when signed with an MD5 digest. (See
address@hidden://en.wikipedia.org/wiki/MD5#Security} for details.)
+For more secure hashes, consider using SHA-2. @xref{sha2 utilities}.
If a @var{file} is specified as @samp{-} or if no files are given
@command{md5sum} computes the checksum for the standard input.
--- src/md5sum.c.orig Sun Aug 8 15:13:06 2010
+++ src/md5sum.c Sun Aug 8 14:48:57 2010
@@ -196,6 +196,15 @@
a line with checksum, a character indicating type (`*' for binary, ` ' for\n\
text), and name for each FILE.\n"),
DIGEST_REFERENCE);
+#if HASH_ALGO_MD5
+ printf (_("\
+\n\
+The MD5 algorithm should not be used any more for security related purposes,\n\
+see <%s>.\n\
+Instead, better use an SHA-2 algorithm, implemented in the programs\n\
+sha224sum, sha256sum, sha384sum, sha512sum.\n"),
+ "http://en.wikipedia.org/wiki/MD5#Security");
+#endif
emit_ancillary_info ();
}
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/03
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/03
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/04
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Simon Josefsson, 2010/08/04
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paolo Bonzini, 2010/08/04
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/05
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paolo Bonzini, 2010/08/06
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/06
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Simon Josefsson, 2010/08/08
- bug#6789: MD5 is broken,
Bruno Haible <=
- bug#6789: MD5 is broken, Paul Eggert, 2010/08/09
- bug#6789: MD5 is broken, Pádraig Brady, 2010/08/09
- bug#6789: MD5 is broken, Bruno Haible, 2010/08/14
- bug#6789: MD5 is broken, Pádraig Brady, 2010/08/14
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/08
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/09
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/10
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/11
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/09
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/09