On Tuesday, February 12, 2019, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2019-02-12 17:02:25 -0500 (-0500), Wes Turner wrote:
> On Tuesday, February 12, 2019, Wes Turner <wes.turner@gmail.com> wrote:
[...]
> > It is possible to find a nonce value that causes an arbitrary package to
> > have the same MD5 hash as the actual package.
>
> e.g. browsers MUST NOT rely upon MD5 for x.509 certificate SSL/TLS/HTTPS
> fingerprints for exactly this reason.
[...]

I fear we're verging far into armchair crypto here, but you're
either making buzzword soup or have a severely flawed understanding
of the algorithms involved. There is no nonce in an IETF RFC 1321
(colloquially "MD5 checksum") implementation, so please at least
attempt to frame your assertions using terms found in the canonical
literature.

Creating a malicious package which computes to the same MD5 checksum
as an existing package of your choice would require that the second
preimage resistance of the MD5 algorithm is broken, or that you got
(time complexity 2^128) "lucky." Uses of MD5 elsewhere which mix in
attacker-controlled inputs to generate the reference output are
another story entirely, but as with the any of the information
security field the actual risk depends on your threat model.

I'm not about to recommend MD5 to anyone these days, don't get me
wrong. There are (at least marginally, again depending on your
threat model) better alternatives which require no additional effort
if you're designing a system from scratch. But let's not
mischaracterize the qualities of any algorithm, as it makes it
difficult for someone who does understand the differences to take us
seriously.

All it has to be is an archive containing a setup.py.

"MD5 considered harmful today:
Creating a rogue CA certificate" (2008)
https://www.win.tue.nl/hashclash/rogue-ca/
 
--
Jeremy Stanley