[Cryptography] Oracle discovers the 1990s in crypto
John Levine
johnl at iecc.com
Sun Jan 22 10:45:08 EST 2017
In article <b3474ca018e245b39d6b241ef8f9100f at uxcn13-ogg-d.UoA.auckland.ac.nz> you write:
>In case anyone missed it, Oracle will soon deprecate MD5 and use of keys under
>1024 bits, and allow keys larger than 1024 bits to be used:
I understand the problem with 1K keys, you can use collisions to make
a fake signature.
But I'm wondering how real the MD5 threat is in practice. Java JAR files
are ZIP files containing a manifest that lists the other files and can
contain signed hashes of the other files. So I can see how I could generate
a collision and replace one of the other files with garbage, which might
crash a poorly debugged Java implmentation. But how likely is it that I
could replace one of the other files with a different Java program?
R's,
John
More information about the cryptography
mailing list