Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Skywing Skywing at valhallalegends.com
Fri Jan 2 17:21:25 CST 2009


That md5 has now been deprecated for awhile is certainly also true; and people should have definitely moved on by now.

Then again, I just got yet another Debian DSA mail which has plaintext download links for new binaries.  The integrity verification mechanism for said binaries is, you guessed it: PGP-signed md5sums.

We still have a long way to go. :)

– S

-----Original Message-----
From: Steven M. Bellovin <smb at cs.columbia.edu>
Sent: Friday, January 02, 2009 15:07
To: Skywing <Skywing at valhallalegends.com>
Cc: Deepak Jain <deepak at ai.net>; NANOG <nanog at nanog.org>
Subject: Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.


On Fri, 2 Jan 2009 16:51:53 -0600
Skywing <Skywing at valhallalegends.com> wrote:

> Of course, md5 *used* to be good crypto.
>
See http://www.cs.columbia.edu/~smb/blog/2008-12/2008-12-30.html for
the links, but MD5 has been suspect for a very long time.

Dobbertin found problems with it in 1996.  The need for caution with it
was not just knowable but known, and stated publicly.  I'm sure others
did so as well; I can only easily quote my own works.  From the second
edition of my Firewalls book, in 2003:

        Additionally, \i{SHA} has replaced \i{MD5}, as the latter
        appears to be weaker than previously believed.

and

        Hints of weakness have shown up in MD5 and RIPEMD-160; cautious
        people will eschew them, though none of the attacks are of use
        against either function when used with HMAC\@.

        As of this writing, the \i{NIST} algorithm appears to be the
        best choice. For many purposes, the newer versions of SHA are
        better; these have block sizes ranging from 256 to 512 bits.

Even if that were not enough, Wang et al presented the actual
collisions in 2004.  There have been many updates and patches to more
or less everything since then...

Yes -- if you pick something that's very weak, you can get caught by
surprise.  But modern algorithms don't fall all at once.

I should add, of course, that if you use bad algorithms or bad
protocols, it doesn't matter where you store the public key.  When I
said that the update problem was easier, what I was saying is that
you're not relying on outside parties for verification of identity,
etc., it's all your own data.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb




More information about the NANOG mailing list