From nobody@FreeBSD.ORG Wed Oct  6 01:56:56 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 8431814FD5; Wed,  6 Oct 1999 01:56:56 -0700 (PDT)
Message-Id: <19991006085656.8431814FD5@hub.freebsd.org>
Date: Wed,  6 Oct 1999 01:56:56 -0700 (PDT)
From: efrias@sg505.net
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: md5(1) manpage should not claim the md5 algorithm to be secure
X-Send-Pr-Version: www-1.0

>Number:         14158
>Category:       docs
>Synopsis:       md5(1) manpage should not claim the md5 algorithm to be secure
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    security-officer
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct  6 02:00:00 PDT 1999
>Closed-Date:    Mon Sep 3 18:01:55 PDT 2001
>Last-Modified:  Mon Sep 03 18:02:19 PDT 2001
>Originator:     Eric Frias
>Release:        3.2-RELEASE
>Organization:
>Environment:
>Description:
[Warning: I am not a cryptographer]

The md5(1) manpage states:

It is con-
jectured that it is computationally infeasible to produce two messages
having the same message digest, or to produce any message having a given
prespecified target message digest.  The MD5 algorithm is intended for
digital signature applications, where a large file must be ``compressed''
in a secure manner before being encrypted with a private (secret) key un-
der a public-key cryptosystem such as RSA.

It is my understanding that MD5 is no longer considered suitable for 
cryptographic applications, since certain attacks have been developed.
The RSADSI FAQ provides several references.  See
http://www.rsasecurity.com/rsalabs/faq/3-6-6.html

If this is indeed the case, the manpage should be revised to mention
the weakness.  
>How-To-Repeat:

>Fix:
Have someone who understands cryptography review the information and 
decide if the supposed weaknesses in the alogorithm warrant revision
to the manpage.  Perhaps mention another, more secure, hashing program
from the manpage if one exists.  

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: murray 
State-Changed-When: Mon Sep 3 17:16:01 PDT 2001 
State-Changed-Why:  
How about this patch?  It is essentially taken from md5(3).  I think 
that we should mention the potential weakness in the user level 
command, not just in the library. 

Index: md5.1 
=================================================================== 
RCS file: /home/ncvs/src/sbin/md5/md5.1,v 
retrieving revision 1.15 
diff -u -r1.15 md5.1 
--- md5.1	2001/08/07 15:48:35	1.15 
+++ md5.1	2001/09/04 00:15:28 
@@ -28,6 +28,12 @@ 
key under a public-key cryptosystem such as 
.Em RSA . 
.Pp 
+MD5 has not yet (2001-09-03) been broken, but sufficient attacks have been 
+made that its security is in some doubt.  The attacks on MD5 
+are in the nature of finding ``collisions'' - that is, multiple 
+inputs which hash to the same value; it is still unlikely for an attacker 
+to be able to determine the exact original input given a hash value. 
+.Pp 
The following options may be used in any combination and must 
precede any files named on the command line.  The MD5 
sum of each file listed on the command line is printed after the options 



Responsible-Changed-From-To: freebsd-doc->security-officer 
Responsible-Changed-By: murray 
Responsible-Changed-When: Mon Sep 3 17:16:01 PDT 2001 
Responsible-Changed-Why:  
A call for the security-officer to make. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=14158 
State-Changed-From-To: analyzed->closed 
State-Changed-By: murray 
State-Changed-When: Mon Sep 3 18:01:55 PDT 2001 
State-Changed-Why:  
Fix has been committed to -CURRENT, thanks. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=14158 
>Unformatted:
