santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Milan Tomic" <mi...@setcce.org>
Subject RE: MD5 algorithm in XSEC
Date Thu, 27 Oct 2005 08:42:53 GMT
Hello Werner,

 

Are you aware of recent collision findings for MD5 algorithm?

 

For example:

 

1. Two certificates with the same MD5 digest (both certificates differs in
only few (5 or 6) bytes of the public key):

 

http://www.win.tue.nl/~bdeweger/CollidingCertificates/

 

2. Two post script files with the same MD5 digest:

 

http://www.cits.rub.de/MD5Collisions/

 

3. Two executables with the same MD5 digest:

 

http://cryptography.hyperlink.cz/2004/collisions.htm

 

4. There are even tools, for creating MD5 collisions, available:

 

http://www.codeproject.com/dotnet/HackingMd5.asp

 

I think that MD5 algorithm support should be removed from Windows and Java
as well (as soon as possible, with the next release or service pack). By
supporting MD5 algortihm we are leaving security holes in our applications
and we are giving our users fake feeling of security. For example, my bank
is still using certificates signed with MD5 algorithm for e-banking. We are
approaching to disaster and it is a question of a day or a month when we
will hit the ground.

 

Best regards,

Milan

 

 

  _____  

From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
Sent: Wednesday, October 26, 2005 11:10 AM
To: security-dev@xml.apache.org
Subject: AW: MD5 algorithm in XSEC

 

Milan,

 

some users of w3c security stuff, such as OASIS WebService security
specification

also define and use MD5 together with Signature. Thus I would not recommend
to

remove it.

 

Regards,

Werner

 

-----Urspr√ľngliche Nachricht-----
Von: Milan Tomic [mailto:milan@setcce.org] 
Gesendet: Mittwoch, 26. Oktober 2005 10:53
An: security-dev@xml.apache.org
Betreff: MD5 algorithm in XSEC

 

Since MD5 digest algorithm is not recommended by W3C
(http://www.w3.org/TR/xmldsig-core/#sec-MessageDigests ) we might consider
removing it from XSEC?


Mime
View raw message