Re: [Gnu-arch-users] Re: MD5 is broken

[Jan Hudec]

On Wed, Mar 16, 2005 at 19:54:53 +0000, Bruce Stephens wrote:
> Ivan Boldyrev <address@hidden> writes:
> 
> [...]
> 
> > When you sign a patch, you just sign ./checksum file.  But this file
> > is list of filenames and md5sums:
> 
> Ah.  I assumed it was signing a patch, but I guess that wouldn't be as
> useful as signing the actual contents of what you end up with after
> applying the patch.

But it IS signing a patch. Electronic signature is taking a hash of the
data and encrypting it with your private key, so it can be decrypted by
your public key to verify it was you who encrypted it. In arch the only
difference is, that hash of a hash is encrypted instead of just hash.
But it still works the same and still verifies the same data -- the
patch contents and the log contents.

> But that still means that the collisions would have to be in the
> actual contents of individual files.  For most applications, I'd guess
> the opportunities for constructing usefully different pairs of files
> with collisions would be fairly limited.

In fact not. The checksum is taken from the *compressed* patch. This
makes it yet another bit more difficult to abuse, because while you can
insert junk into the gzipped stream (ie. it is _actually_ possible to
create two gzipped files with the same checksum), it will not affect the
output of decompression, so creating coliding archives this way is
useless.

> Not that md5 shouldn't be substituted (indeed, I'm surprised it was
> used in the first place; are there common platforms where md5sum
> exists but sha1sum doesn't?), but I'm unconvinced that it's a
> significant risk.

-------------------------------------------------------------------------------
                                                 Jan 'Bulb' Hudec 
<address@hidden>

signature.asc
Description: Digital signature