diff options
authorColin Percival <cperciva@FreeBSD.org>2009-01-06 19:25:24 +0000
committerColin Percival <cperciva@FreeBSD.org>2009-01-06 19:25:24 +0000
commit4c55b9e02e5991f9a5b64a13f1a13f92618ff12f (patch)
parent853e670bb4c7c7baf2c38683c1b8f0472f12f2e3 (diff)
Strengthen some of the language concerning attacks on MD5, in light of the
recent demonstration of a forged SSL certificate. Add text pointing out that SHA-1 is at least theoretically broken. Add a recommendation that new applications use SHA-256. MFC after: 1 month
Notes: svn path=/head/; revision=186836
1 files changed, 16 insertions, 8 deletions
diff --git a/sbin/md5/md5.1 b/sbin/md5/md5.1
index 09729536121d..bb2b3f4129f4 100644
--- a/sbin/md5/md5.1
+++ b/sbin/md5/md5.1
@@ -49,15 +49,23 @@ key under a public-key cryptosystem such as
.Tn RSA .
.Tn MD5
-has not yet (2007-03-05) been broken, but sufficient attacks have been
-made that its security is in some doubt.
-The attacks on
+has been completely broken as far as finding collisions is
+concerned, and should not be relied upon to produce unique outputs.
+This also means that
.Tn MD5
-are in the nature of finding
-.Dq collisions
-\(em that is, multiple
-inputs which hash to the same value; it is still unlikely for an attacker
-to be able to determine the exact original input given a hash value.
+should not be used as part of a cryptographic signature scheme.
+At the current time (2009-01-06) there is no publicly known method to
+"reverse" MD5, i.e., to find an input given a hash value.
+.Tn SHA-1
+currently (2009-01-06) has no known collisions, but an attack has been
+found which is faster than a brute-force search, placing the security of
+.Tn SHA-1
+in doubt.
+It is recommended that all new applications use
+.Tn SHA-256
+instead of one of the other hash functions.
The following options may be used in any combination and must
precede any files named on the command line.