Alastair Houghton wrote:
On 2 Apr 2008, at 17:19, John Stiles wrote:
I take it all back; in 2007 there was an MD5 attack discovered which
actually allows for completely different binaries that sign the same.
Check Wikipedia for the details, but basically MD5 is totally broken
now. Wow, times change!!
Actually I don't think you should take it back; it looks to me like
the problem that has been solved (that of finding two files with the
same prefix that have the same MD5 sum) is not a useful exploit in
most cases.
In order for it to be a real vulnerability, you would need an
algorithm that, as you say, allows someone to take an arbitrary file
and add some bytes that are determined by the algorithm in order to
match a given hash. I don't believe, from what I've read, that that
particular problem has been solved.
The vulnerability that we have currently would only allow the original
creator of a file to generate another file with the same checksum, and
only under certain preconditions, so I contend that, as you originally
stated, MD5 is not fully broken (and not even usefully broken in many
respects).
Well, you're right, but I still wouldn't want to use it for anything
where security was a real concern; I'd be worried that the next attack
wouldn't be so forgiving.
_______________________________________________
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
