Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Mar 2013 08:45:17 -0400
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE assignments for "weak" crypto (was CVE Request: MD5 used for Download verification)

steve:The fundamental problem is in the MD5 algorithm itself; any
steve:implementation of MD5 will suffer from the same problems.  We have
steve:multiple CVE identifiers for the various weaknesses of MD5.  Any
steve:product that uses MD5 is therefore subject to these weaknesses.

Multiple?  I did a quick search of MD5 from thE CVE database:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=md5

and found only one that *didn't* look tied to a particular implementation.
Having said that...

tim:I think if an application relies on a cryptographic primitive for a
tim:property that it does not provide, or that it is KNOWN to be broken
tim:for (such as MD5 or SHA1 with collision resistance), then there should
tim:be a CVE assigned.  The cat's out of the bag on these things; there'st
tim:no excuse to use MD5 for this purpose.  The world knows these hashes

...the one CVE I found involving one of the "various weaknesses of
MD5" DID involve MD5 collision resistance:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2761

However, the associated text might be misleading -- caps are mine:

	 The MD5 Message-Digest Algorithm is not collision resistant, which
	 makes it easier for CONTEXT-DEPENDANT attackers to conduct spoofing
	 attacks, AS DEMONSTRATED BY ATTACKS ON THE USE OF MD5 IN THE
	 SIGNATURE ALGORITHM OF AN X.509 CERTIFICATE.

While a careful reading of the text may lead one to conclude "X.509 is
just one example of MD5 b0rked-ness", someone who implements MD5 in a
non-X.509 cert context might easily gloss over this one.

Might it make sense to highlight some of these "fundamental" CVEs that
a diverse range of apps might be prone to?  Just thinking out loud here...

-Mike

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Make it so they have to reboot after every typo."     -the Pointy-Haired One

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.