* Steffen Schulz: > On 070613 at 10:43, Florian Weimer wrote: >> > AND the fact that it needs to be a valid .deb archive, they are >> > probably more than strong enough. > > This is actually not much of a problem: > > http://www.cits.rub.de/MD5Collisions/ > > One example how to create two files with same hash that act > differently. Should work with most active content.
The problem is ambiguous content, not the collision. This has been thoroughly debunked, I don't know why they continue publishing this. It's easy to exploit their fictional document signing process without creating an MD5 collision, which strongly suggests ("proves") that the process itself is flawed. Since you are located at RUB, could you please make sure that they correct their analysis? > Kaminsky did the same with self-extracting executables: > > http://www.doxpara.com/md5_someday.pdf Yeah, but the evil twins must be created *by* *the* *same* *party*. In the Debian case, this party is already trusted, so the current attacks make no difference. >> That, and the "evil twin" package would have to be prepared by the >> securty team as well, which isn't a relevant scenario (because they >> could put a backdoor in the original without attacking the hash). > So apt-get signatures use a secure hash function? Secure against currently known attacks, yes. And we can distribute a new hash function to clients pretty easily (something which is quite unusual). > With the above results, it would be possible to officially distribute > nice behaving software but present specific targets with modified > packages that do evil. Yeah, right. Guess what? Distributors can do this even without using MD5 attacks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]