"brian m. carlson" <sand...@crustytoothpaste.net> writes: > MD5 is not suitable for any application requiring collision resistance, > such as a key fingerprint. Please switch to one of the SHA-2 values > instead, or upgrade to OpenSSH 6.8, which fixes this problem.
Fortunately, your premise is incorrect. Key fingerprints do /not/ require collision resistance, merely second-preimage resistance. In finding a collision, the adversary comes up with two messages simultaneously, such that both of them have the same hash. So collisions are only a concern when both the original message whose authenticity you wanted to check /and/ the claimed copy of it obtained over an inauthentic channel might have been constructed by an adversary. We use key fingerprints to check that we have correct copies of public keys. Presumably this is because we're going to trust the public key in some way. But if we're going to do that, we're making the /assumption/ that the proper public key was /not/ generated by the adversary -- since otherwise we'd be crazy to trust it for anything. And therefore it can't have been the output of some clever collision-finding algorithm, because only someone we shouldn't trust would do that. The remaining possibility is that the adversary has managed to come up with a new public key (and matching private key) with the same fingerprint as the target key, which was generated by an honest party. But that's finding a second preimage, and it's /way/ harder than finding collisions. Currently, there are no known second-preimage attacks against MD5. Ditching MD5 is a good idea, because attacks only get better with time. But the sky hasn't fallen yet. -- [mdw] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
