On Tuesday, February 12, 2019, Wes Turner <wes.turner@gmail.com> wrote:
On Tuesday, February 12, 2019, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2019-02-12 13:37:20 -0500 (-0500), Wes Turner wrote:
> MD5 is no longer suitable for verifying package integrity.
>
> https://en.wikipedia.org/wiki/MD5#Security
>
> > The security of the MD5 hash function is severely compromised. A
> > collision attack exists [...] there is also a chosen-prefix
> > collision attack
[...]
The difference between collision (or chosen-prefix collision) and
preimage (or second preimage) attacks is still very relevant. With
MD5 you can't trust that someone who provided you with an input and
a hash of that input hasn't carefully crafted that input so that
there is also a second input which results in the same hash. Or in
package terms, you can't trust that the package you've received
wasn't part of a contrived scheme on the part of someone you've
already decided to trust. You can still rest assured (for now
anyway) that the package you receive is the same one the person or
system providing the MD5 checksum intended for you to receive.
It is possible to find a nonce value that causes an arbitrary package to have the same MD5 hash as the actual package.
e.g. browsers MUST NOT rely upon MD5 for x.509 certificate SSL/TLS/HTTPS fingerprints for exactly this reason.
But because trying to explain this nuance to people is considerably
harder than just saying "MD5 bad" it's simply not worth trying to
have the discussion most of the time, and so easier instead to
replace it with a more modern alternative and move on with your
life.
--
Jeremy Stanley