[Cryptography] Oracle discovers the 1990s in crypto

John Levine johnl at iecc.com
Sun Jan 22 10:45:08 EST 2017


In article <b3474ca018e245b39d6b241ef8f9100f at uxcn13-ogg-d.UoA.auckland.ac.nz> you write:
>In case anyone missed it, Oracle will soon deprecate MD5 and use of keys under
>1024 bits, and allow keys larger than 1024 bits to be used:

I understand the problem with 1K keys, you can use collisions to make
a fake signature.

But I'm wondering how real the MD5 threat is in practice.  Java JAR files
are ZIP files containing a manifest that lists the other files and can
contain signed hashes of the other files.  So I can see how I could generate
a collision and replace one of the other files with garbage, which might
crash a poorly debugged Java implmentation.  But how likely is it that I
could replace one of the other files with a different Java program?

R's,
John


More information about the cryptography mailing list