#12 Replace MD4 with a more secure hash function
The MD4 hash function is insecure. Collision attacks
are known for many years now, and and a recent paper by
Wang et al [1] shows a several second preimage attacks,
as follows. First, there's an algorithm which, given a
random message and its MD4 hash, finds another message
having the same hash with probability 2^-56. Second, if
the attacker can also alter the original message (and
thus its hash) slightly, he can find a second message
having the same hash with just 2^27 MD4 invocations.
Doubtless, even stronger attacks will soon be found.
MD4 (with known seed) is thus completely broken, making
rsync batch mode and librsync unsafe to use in
malicious environments. Please do consider phasing out MD4.
The fastest hash function with no interesting known
attacks is SHA-256, which is still somewhat expensive
(though this can be partially addressed by the
meta-hash idea -- see the librsync list, July 2005,
"Re: more info on 25gig files". SHA-1 may also be OK
for a while despite the known collision attacks, and
has acceptable speed.
[1]
http://www.springerlink.com/openurl.asp?genre=article&issn=0302-9743&volume=3810&spage=1
Logged In: NO
Obviously a hash function with easy-to-find collisions would
be unacceptable for digital signatures, but it's not obvious
to me how collisions pose a security problem for
file-copying programs.
-- Matt McCutchen <hashproduct@verizon.net>
Logged In: YES
user_id=260564
The danger is that an attacker will cause the result of the
transfer to be corrupted (possibly in a carefully crafted
way), thereby violating the guarantee made by librsync. The
consequences could be arbitrarily bad, depending on the
application. For example, rsync-based database replication
may lead to the copies containing bogus data.
Specific attack vectors have been extensively hashed
(*cough*) on the mailing list.