The death of MD5 (and some SSL certificates)
Broken Chain of Trust
Researchers set out to compromise MD5 in an effort to convince people to stop using it. We explain how the attack worked and what this means for you.
Message Digest algorithm 5 (MD5 for short) is a one-way cryptographic hashing function. Put in its simplest terms, it takes input, mangles it, and generates a 128-bit value (usually expressed as a 32-character hexadecimal number such as 76ffd163bd23504cfeb873a9c027b2ed). The same input (e.g., password) will always have the same output (for example, 5f4dcc3b5aa765d61d8327deb882cf99). So why use MD5? When cryptographically signing data (such as email or SSL certificates), it is much more efficient to sign a cryptographic signature of the data rather than the entire block of data itself (128 bits of data compared with a kilobyte or more for an SSL certificate).
MD5 is widely used. For example, many Linux distributions use it by default to hash password values in the /etc/shadow password file, numerous SSL certificate authorities support it, and many application vendors use it rather than stronger algorithms such as SHA-1 or SHA-256 (a hashing algorithm similar in functionality to MD5).
Like any security issue, a continuum of choices generally ranges from a combination of "cheap, easy, insecure, and computationally inexpensive" to "expensive, difficult, secure, and computationally expensive." In the case of MD5, it falls somewhere in the middle, not so much because of any conscious choices to cut corners, but largely because of its age (it was invented in 1991).
Read full article as PDF »Security_Lessons_Death_of_MD5.pdf (196.64 kB)
ND5 signing certificatesAn interesting article on encryption algorithms, but more detail is needed about some of the comments about CAs in web-browsers. As Kurt states, some (but not all) of the Thawte & Verisign CAs use MD5 (& in some cases MD2) as their signature algorithm. However as far as I can tell this is not the case for any of the certificates from Comodo - they all seem to use SHA1. Perhaps I have a fully updated system for these certificates (I hope so) which has addressed the concerns, or are Kurt's comments about a different company?
Vendor D-Wave scores big with a sale to NASA's Quantum Intelligence Lab.
Many package updates and Steam integration highlight the latest from the Mandriva-based community Linux.
Richard Stallman calls for the W3C to remain independent of vendor interests.
The new release supports nine architectures, 73 human languages, and zero non-Free components.
Fedora developers release the first alpha version of Fedora 19, known as Schrödinger’s Cat, for general testing. The final release is expected in July 2013.
ack is a grep-like, command-line tool that has been optimized for programmers to search large trees of source code.
New features in SUSE Studio 1.3 include enhanced cloud integration, VM platform support, and lifecycle management.
The Linux Foundation recently announced that the Xen Project is becoming a Linux Foundation Collaborative Project.
Open source version of LiveCode is now available for developing apps, games, and utilities for all major platforms.
OpenDaylight is an open source software-defined networking project committed to furthering adoption of SDN and accelerating innovation in a vendor-neutral and open environment.