gnu-arch-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] crypto features and 1.2preX


From: Brian May
Subject: Re: [Gnu-arch-users] crypto features and 1.2preX
Date: Wed, 07 Jan 2004 11:13:34 +1100
User-agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux)

>>>>> "Tom" == Tom Lord <address@hidden> writes:

Two questions:

    Tom> * MD5 Checksums of Revision Data

[...]

    Tom>   When arch retrieves a file from an archive, it computes an
    Tom> MD5 of the file it receives and compares that to the checksum
    Tom> file.  If they disagree, an error is signaled and the
    Tom> operation is aborted.

1. I have heard, from other mailing lists, that it is feasible to
alter a file *and* *its* length* in such a way that it will produce
exactly the same MD5 Checksum. The moral of the story was you can't
rely on the MD5 checksum by itself, you need the MD5Sum + Length of
the data.

Does arch do the right thing here?

2. Is there anything to prevent me from doing this[1]?

[338] [scrooge:bam] ~/tmp/tree >tla my-id "Tom Lord <address@hidden>"
[339] [scrooge:bam] ~/tmp/tree >tla commit -s "My forgery"
M  file

You need a passphrase to unlock the secret key for
user: "Brian May <address@hidden>"
1024-bit DSA key, ID 00530C24, created 2000-07-26

* commited address@hidden/test--devo--0.1--patch-1

[348] [scrooge:bam] ~/tmp/tree >tla revisions --creator
gpg: Signature made Wed 07 Jan 2004 10:54:51 EST using DSA key ID 00530C24
gpg: Good signature from "Brian May <address@hidden>"
gpg:                 aka "Brian May <address@hidden>"
base-0
    Brian May <address@hidden>
gpg: Signature made Wed 07 Jan 2004 10:57:26 EST using DSA key ID 00530C24
gpg: Good signature from "Brian May <address@hidden>"
gpg:                 aka "Brian May <address@hidden>"
patch-1
    Tom Lord <address@hidden>

Here, the signature is made with my key, but tla doesn't realize that
the creator field was forged.
-- 
Brian May <address@hidden>




reply via email to

[Prev in Thread] Current Thread [Next in Thread]