[Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

Arnold G. Reinhold mac_crypto@vmeng.com
Mon, 5 Apr 2004 10:46:31 -0400

Dobbertin's 1996 collision demonstration is another good reason not 
to use md5, but is obviously hasn't gotten the open source community 
or Apple to stop.  Whether my attack will be any more successful in 
effecting change remains to be seen. Publishing SHA1 hashes in 
parallel with md5 seems like such an inexpensive thing to do, but one 
should never underestimate cryptographic inertia. For the record, I 
first published my attack on Perry Metzger's cryptography list in 
February, 2002.

Arnold Reinhold

At 5:56 PM -0400 4/4/04, Don Davis wrote:
>hi, mr. reinhold --
>there's stronger reason than the ones you cite,
>to distrust md5 as a message-digest.  see these
>old sci.crypt threads, and the google-search below,
>for discussions of hans dobbertin's 1996 crack
>of md5:
>btw, in a phone conversation, dobbertin emphasized
>to me that his attack only works when md5 is used
>as a message-digest; it doesn't work when md5 is
>used with a key to prepare a MAC.  he also mentioned
>that while sha-1 may be vulnerable to an attack of
>a similar style (because sha-1 is similar in struc-
>ture to md5), he himself was forbiddden by german
>law to work to cryptanalyze sha-1, because he worked
>at that time for the german federal security service,
>and so wasn't allowed to attack the USG's standard
>ciphers.  now he's at ruhr university (in bochum),
>but i don't know whether he's more of a free agent.
>				- don davis, boston
>>  To: mac_crypto@vmeng.com
>>  From: "Arnold G. Reinhold" <reinhold@world.std.com>
>>  Subject: [Mac_crypto] Apple should use SHA! (or stronger) to authenticate
>>  software
>>   releases
>>  Sender: mac_crypto-admin@vmeng.com
>>  Reply-To: mac_crypto@vmeng.com
>>  List-Id: Macintosh Cryptography <mac_crypto.vmeng.com>
>>  List-Archive: <http://www.vmeng.com/pipermail/mac_crypto/>
>>  Date: Sun, 4 Apr 2004 06:17:55 -0500
>>  The cryptographic hash function MD5 has long been used to
>>  authenticate software packages, particularly in the Linux/Unix/open
>>  source community. This has carried over to Apple's OS-X. The MD5 hash
>>  of an entire package is calculated and its value is transmitted
>>  separately from the package. Users who download the package compute
>>  the hash of the copy they received and match that value against the
>>  original.
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com