[Catalog-sig] hash tags

Donald Stufft donald at stufft.io
Fri Mar 8 22:32:21 CET 2013 

On Mar 8, 2013, at 4:12 PM, PJ Eby <pje at telecommunity.com> wrote:

> On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz <noah at coderanger.net> wrote:
>> MD5 is _not_ acceptable for anything security related and we shouldn't be adding anything that increases our dependence on it. MD5's only use in the packaging world is to make people who forget that TCP has its own checksums feel all warm and fuzzy that there hasn't been _accidental_ download corruption.
> 
> So, you're saying that someone has found a second-preimage attack
> against MD5 that's more efficient than the current 2**127 threshold
> established in 2009?
> 
> "Anything security related" is pretty broad.  Out of the many classes
> of attacks on hashes, AFAIK the only class that's relevant to PyPI is
> second preimage attacks,  i.e. one where the attacker has the original
> file and the hash, and must construct a new file that produces the
> same hash value.
> 
> Did you have some other type of hash attack in mind?  And in either
> case, do you have a referent for the attack complexity?
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

Here's some more information pulled straight from Wikiepdia:

However, it has since been shown that MD5 is not collision resistant;[3] as such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property. In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found to be vulnerable as well. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable—specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum.[4][5] Further advances were made in breaking MD5 in 2005, 2006, and 2007.[6] In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[9] and most U.S. government applications now require the SHA-2 family of hash functions.[10]

Here's the important highlights:

    - specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum
    - MD5 "should be considered cryptographically broken and unsuitable for further use"


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130308/0a3771b5/attachment.pgp>

More information about the Catalog-SIG mailing list