Bug 14158

Summary: md5(1) manpage should not claim the md5 algorithm to be secure
Product: Documentation Reporter: efrias <efrias>
Component: Books & ArticlesAssignee: FreeBSD Security Officer <security-officer>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description efrias 1999-10-06 10:00:00 UTC 
[Warning: I am not a cryptographer]

The md5(1) manpage states:

It is con-
jectured that it is computationally infeasible to produce two messages
having the same message digest, or to produce any message having a given
prespecified target message digest.  The MD5 algorithm is intended for
digital signature applications, where a large file must be ``compressed''
in a secure manner before being encrypted with a private (secret) key un-
der a public-key cryptosystem such as RSA.

It is my understanding that MD5 is no longer considered suitable for 
cryptographic applications, since certain attacks have been developed.
The RSADSI FAQ provides several references.  See
http://www.rsasecurity.com/rsalabs/faq/3-6-6.html

If this is indeed the case, the manpage should be revised to mention
the weakness.

Fix: 

Have someone who understands cryptography review the information and 
decide if the supposed weaknesses in the alogorithm warrant revision
to the manpage.  Perhaps mention another, more secure, hashing program
from the manpage if one exists.
Comment 1 Murray Stokely freebsd_committer freebsd_triage 2001-09-04 01:16:01 UTC 
State Changed
From-To: open->analyzed

How about this patch?  It is essentially taken from md5(3).  I think 
that we should mention the potential weakness in the user level 
command, not just in the library. 

Index: md5.1 
=================================================================== 
RCS file: /home/ncvs/src/sbin/md5/md5.1,v 
retrieving revision 1.15 
diff -u -r1.15 md5.1 
--- md5.1	2001/08/07 15:48:35	1.15 
+++ md5.1	2001/09/04 00:15:28 
@@ -28,6 +28,12 @@ 
key under a public-key cryptosystem such as 
.Em RSA . 
.Pp 
+MD5 has not yet (2001-09-03) been broken, but sufficient attacks have been 
+made that its security is in some doubt.  The attacks on MD5 
+are in the nature of finding ``collisions'' - that is, multiple 
+inputs which hash to the same value; it is still unlikely for an attacker 
+to be able to determine the exact original input given a hash value. 
+.Pp 
The following options may be used in any combination and must 
precede any files named on the command line.  The MD5 
sum of each file listed on the command line is printed after the options
Comment 2 Murray Stokely freebsd_committer freebsd_triage 2001-09-04 01:16:01 UTC 
Responsible Changed
From-To: freebsd-doc->security-officer

A call for the security-officer to make.
Comment 3 Murray Stokely freebsd_committer freebsd_triage 2001-09-04 02:01:55 UTC 
State Changed
From-To: analyzed->closed

Fix has been committed to -CURRENT, thanks.