#12 Replace MD4 with a more secure hash function

open
nobody
5
2006-02-22
2006-02-22
tromer
No

The MD4 hash function is insecure. Collision attacks
are known for many years now, and and a recent paper by
Wang et al [1] shows a several second preimage attacks,
as follows. First, there's an algorithm which, given a
random message and its MD4 hash, finds another message
having the same hash with probability 2^-56. Second, if
the attacker can also alter the original message (and
thus its hash) slightly, he can find a second message
having the same hash with just 2^27 MD4 invocations.

Doubtless, even stronger attacks will soon be found.

MD4 (with known seed) is thus completely broken, making
rsync batch mode and librsync unsafe to use in
malicious environments. Please do consider phasing out MD4.

The fastest hash function with no interesting known
attacks is SHA-256, which is still somewhat expensive
(though this can be partially addressed by the
meta-hash idea -- see the librsync list, July 2005,
"Re: more info on 25gig files". SHA-1 may also be OK
for a while despite the known collision attacks, and
has acceptable speed.

[1]
http://www.springerlink.com/openurl.asp?genre=article&issn=0302-9743&volume=3810&spage=1

Discussion

  • Nobody/Anonymous

    Logged In: NO

    Obviously a hash function with easy-to-find collisions would
    be unacceptable for digital signatures, but it's not obvious
    to me how collisions pose a security problem for
    file-copying programs.
    -- Matt McCutchen <hashproduct@verizon.net>

     
  • tromer

    tromer - 2006-02-22

    Logged In: YES
    user_id=260564

    The danger is that an attacker will cause the result of the
    transfer to be corrupted (possibly in a carefully crafted
    way), thereby violating the guarantee made by librsync. The
    consequences could be arbitrarily bad, depending on the
    application. For example, rsync-based database replication
    may lead to the copies containing bogus data.

    Specific attack vectors have been extensively hashed
    (*cough*) on the mailing list.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks