Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

[Valdis.Kletnieks () vt edu]

On Sat, 03 Jan 2009 17:23:06 +0100, Florian Weimer said:
> Our rationale is that in order to carry out currently known attacks on
> MD5, you need to create a twin of documents, one evil and one
> harmless.  In Debian's case, we prepare the data we sign on our
> trusted infrastructure.  If someone can sneak in an evil twin due to a
> breach, more direct means of attack are available.

More to the point - there are known easy ways for an attacker to generate *two*
documents that have the same MD5 hash (the basis of this attack).  However, the
attacker has no control over what the actual value of that MD5 hash is.

What's *not* still feasible is for an attacker to take Debian's data and the
already-generated MD5 hash, and create a second file that hashes to that
same already-known hash.

At that point, it's probably easier to just attack the trusted infrastructure
in an attempt to recover the GnuPG private key, and then just sign your
evil replacement package.  There's 2 advantages to this attack:

1) It doesn't *matter* if they PGP-sign the file with the MD5 hashes or if
the file has SHA1 or SHA512 - the signature will look fine.

2) It's been proven doable to at least one major distro in the past few months.

Attachment: _bin
Description: