Simon Josefsson wrote: > MD5 is broken, and > finding collisions takes just seconds on normal PC. See: > http://en.wikipedia.org/wiki/MD5#Security
Here is a suggested patch to improve the awareness of this issue in coreutils. - The documentation of md5sum currently says "modifying a file so as to retain its MD5 [is] considered infeasible at the moment", but the research results of 2008 mentioned in <http://en.wikipedia.org/wiki/MD5#Security> showed how to manipulate a digital certificate so that the validity of its MD5 signature can be retained. - The documentation of md5sum says "For more secure hashes, consider using SHA-1 or SHA-2." Well, researchers have already discovered security weaknesses in <http://en.wikipedia.org/wiki/SHA-1>, therefore it does not seem adequate to recommend SHA-1 any more. - The 'md5sum --help' output and, with it, the manual page are silent about the security problems. Here is a proposed patch to make this clearer. 2010-08-08 Bruno Haible <br...@clisp.org> md5sum: Put more emphasis on security weaknesses. * doc/coreutils.texi (md5sum invocation): Mention currently known security problems. Don't recommend SHA-1 as alternative. * src/md5sum.c (usage): Mention that MD5 is not secure. Recommend SHA-2 as alternative. Reported by Simon Josefsson <si...@josefsson.org>. --- doc/coreutils.texi.orig Sun Aug 8 15:13:06 2010 +++ doc/coreutils.texi Sun Aug 8 15:10:26 2010 @@ -3414,14 +3414,13 @@ Note: The MD5 digest is more reliable than a simple CRC (provided by the @command{cksum} command) for detecting accidental file corruption, as the chances of accidentally having two files with identical MD5 -are vanishingly small. However, it should not be considered truly -secure against malicious tampering: although finding a file with a -given MD5 fingerprint, or modifying a file so as to retain its MD5 are -considered infeasible at the moment, it is known how to produce -different files with identical MD5 (a ``collision''), something which -can be a security issue in certain contexts. For more secure hashes, -consider using SHA-1 or SHA-2. @xref{sha1sum invocation}, and -...@ref{sha2 utilities}. +are vanishingly small. However, it should not be considered secure +against malicious tampering: although finding a file with a given MD5 +fingerprint is considered infeasible at the moment, it is known how +to modify certain files, including digital certificates, so that they +appear valid when signed with an MD5 digest. (See +...@url{http://en.wikipedia.org/wiki/MD5#Security} for details.) +For more secure hashes, consider using SHA-2. @xref{sha2 utilities}. If a @var{file} is specified as @samp{-} or if no files are given @command{md5sum} computes the checksum for the standard input. --- src/md5sum.c.orig Sun Aug 8 15:13:06 2010 +++ src/md5sum.c Sun Aug 8 14:48:57 2010 @@ -196,6 +196,15 @@ a line with checksum, a character indicating type (`*' for binary, ` ' for\n\ text), and name for each FILE.\n"), DIGEST_REFERENCE); +#if HASH_ALGO_MD5 + printf (_("\ +\n\ +The MD5 algorithm should not be used any more for security related purposes,\n\ +see <%s>.\n\ +Instead, better use an SHA-2 algorithm, implemented in the programs\n\ +sha224sum, sha256sum, sha384sum, sha512sum.\n"), + "http://en.wikipedia.org/wiki/MD5#Security"); +#endif emit_ancillary_info (); }