Gentoo Archives: gentoo-dev

From: Chris Bainbridge <chrb@g.o>
To: gentoo-core@l.g.o
Cc: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: good time to stop using MD5's
Date: Wed, 25 Aug 2004 13:15:21
1 On Tuesday 24 August 2004 20:23, Chris Gianelloni wrote:
2 > ...except in our case we're giving any possible attacker the "original
3 > message" in the original tarball/ebuild/Manifest/whatever...  They do
4 > not have to work from the arbitrary hash, at all.
6 As far as I understand what was shown against SHA, they have an attack that
7 allows them to produce hash collisions, but they have to be able to change
8 both texts. ie. they can produce two texts which have the same hash by
9 generating both texts together. What they can't do is copy an existing file
10 and then alter it to generate the same hash. (disclaimer - I haven't rtfp,
11 please correct me here if I'm wrong!)
13 In the gentoo case, this means an attacker could generate a hash collision
14 only if they have the ability to change the tarball/ebuild/patch before it is
15 hashed by a gentoo developer. The easiest way to exploit this would be as a
16 gentoo developer. I could add some trivial patch to glibc and generate it so
17 that it collides with some backdoor code, and then cvs commit it. Normal
18 people see this patch and it looks ok, but I can now do a man-in-the-middle
19 attack and replace that file with my backdoor on any gentoo box. Interesting
20 huh? You could do the same thing with user submitted patches, as long as they
21 get added unaltered.
23 Anyway, the attacks so far have only been against md5, sha0, and 40 round
24 sha1. Full sha1 is still secure, so that is what we should be using.
26 --
27 gentoo-dev@g.o mailing list