Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

MD5 Vulnerable Now?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
SeeFue
n00b
n00b


Joined: 04 Dec 2003
Posts: 17
Location: Texas
PostPosted: Fri Aug 20, 2004 4:50 pm    Post subject: MD5 Vulnerable Now? Reply with quote
http://news.com.com/Crypto+researchers+abuzz+over+flaws/2100-1002_3-5313655.html?tag=st.popthis Is this as bad as they make it sound? Should Gentoo be concerned with this?
Back to top
View user's profile Send private message
aetius
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jul 2004
Posts: 118
PostPosted: Fri Aug 20, 2004 5:23 pm    Post subject: Reply with quote
Yes and no.

Yes, this is a big deal, and it needs to be paid attention to. New methods for compromising cryptographic algorithms are important, and that's why a lot of research goes into them.

No, in that this is normal for cryptography. As time progresses, some functions are defeated, and others are found or made stronger. Time goes on. People will move away from MD5 and SHA-1 and on to something else that is stronger. This isn't anything to cry about, and it certainly isn't a problem today (unless you're going up against the NSA, in which case you better be using more than MD5 or SHA-1).

What these researchers are saying is essentially this: collisions (two data items that result in the same MD5 or SHA-1 signature) are somewhat more easily found than we thought, at least partway through the hashing process. It's a jump from there to "I can create a collision for any given signature", though not a huge one. BUT ... from past experiences the success of these kinds of attacks is an indicator that the algorithm is vulnerable, and eventually will be compromised. Like the article said, this just means it's time to move on.

Areas where this affects Linux, and Gentoo:

MD5 is used to certify that the code you are receiving is the same code the developer put up there. This needs to be upgraded - it's fine for accidental problems (download issues, etc) but won't stand up if someone breaks into the rsync servers and actively inserts a trojan.

MD5 is used to hash the passwords stored in /etc/shadow. When login and PAM check your password, they check the hash of what you typed in vs what is stored on the server. This is not utterly critical because this problem has cropped up before, and now /etc/shadow is only readable by root. However, it still means that pam_unix needs to be updated to use more than MD5, not a huge deal.

SHA-1 is involved in PGP/GPG, SSL, and a few other things, all of which will need to be updated. None of this is difficult, since these programs are designed to use modular encryption code -- it's mostly a matter of changing the default.

All of the open source software that needs to updated probably will be updated in the next few months. Commercial software? Well .... good luck with that. :) The thing most likely to consume time is choosing what algorithm to move to.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy