Marc Bevand wrote:

> | Finding a collision for both MD5 and SHA-1 at the same time is
> | completely improbable.
>
> Finding a collision for SHA-1 was also deemed completely improbable ten
> years ago. However nowadays the attack seems very probable.
>
> My point is, finding a collision for both MD5 and SHA-1 will eventually
> get accomplished some day. If it was really considered improbable, then
> I suggest cryptographers stop researching secure hashing algorithms and
> start using the hash function H(x) = MD5(x) . SHA1(x), where '.' is the
> concatenation operator.

The performance of this hash function will be poor.

All this is irrelevant for the application we are looking at, namely
OpenBSD ports. As kjell pointed out, you need to perform a second
preimage attack and not a collision attack. Please read
http://www.ecrypt.eu.org/documents/S...H_STMT-1.1.pdf to
clearly understand the difference.

All the attacks that have been found so far are collision attacks, not
second preimage attacks. Therefore, these attacks mainly have
implications on digital signatures.

If an attacker succeeds in finding a second preimage for a certain hash
value (of a tarball you want to download), he will also need to
construct a corrupted compressed tarball with the second preimage. Not
so simple either.


Cheers,

Dries