santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthias Niggemeier" <l...@tthias.de>
Subject RE: MD5 algorithm in XSEC
Date Thu, 27 Oct 2005 11:25:00 GMT
 
> -----Original Message-----
> From: Milan Tomic [mailto:milan@setcce.org] 
> Sent: Thursday, October 27, 2005 10:43 AM
> To: security-dev@xml.apache.org
> Subject: RE: MD5 algorithm in XSEC

> Are you aware of recent collision findings for MD5 algorithm?
> 
> 
> I think that MD5 algorithm support should be removed from 
> Windows and Java as well (as soon as possible, with the next 
> release or service pack). By supporting MD5 algortihm we are 
> leaving security holes in our applications and we are giving 
> our users fake feeling of security. For example, my bank is 
> still using certificates signed with MD5 algorithm for 
> e-banking. We are approaching to disaster and it is a 
> question of a day or a month when we will hit the ground.


Milan,
from an academic point of view you are certainly right. But the
MD5 Algorithm is still widely used, so removing MD5 would lead
me into serious trouble. I receive XML-Files from embedded systems
for example; these systems cannot be updated (theoretically they can,
but how pays?).
"Security" is a consideration between risk, cost and convenience.
Even with a pessimistic point of view the risk that somebody changes
my xml-files having the same hash is extremely low. So there is only
little reason for me to change this. This is just an example, I think
there arer several applications that need MD5. So I would vote to leave
MD5-support as is, since it is standard conformand up today. Surely,
I would not recommend using it, but what when you get signed files
from an external source? Sometimes (like me) you just get the files,
without a chance to change the behaviour of the foreign system.

Regards

Matthias


Mime
View raw message