Security level is measured in bits of bruteforcing: base-2 log of how many combinations you have to try before finding a solution. The problem described - finding a blob that matches the hash - is still bruteforcing an MD5 key of 128 bits, which is impossible for all practical purposes. The collision attack is only relevant if the attacker creates the original private key, but in that case they already know the private key and don't have to break the hash. So it's irrelevant here. 128 bits of security is somewhere in the realm of using all the sun's energy output for 100 years with the theoretical most efficient possible computer - so possibly achievable by a future alien race with very advanced technology. 256 bits is a newer recommendation, which is more like using all the energy in the universe for the lifetime of the universe, which is both practically and theoretically impossible. But 128 is still safe from prying humans here on earth. (Birthday attacks are another reason to go to 256, but they're also not relevant here unless the attacker is generating the original private key) On 31 August 2025 23:03:21 CEST, brent saner via NANOG <nanog@lists.nanog.org> wrote:
On Sun, Aug 31, 2025, 16:39 Krassimir Tzvetanov via NANOG < nanog@lists.nanog.org> wrote:
When we talk about SSH, complexity explodes, because you need to find an MD5 collision that is also a "collision" with the public key (which means both have to have the same moduly). To say it simpler, you will have to calculate multiple MD5 collisions and test each one of them if it can satisfy the public key.
Normally, yes. But unless I read the email incorrectly, the problem is IOS just uses an MD5 of the key sent by the client and verdicts auth *based on the checksum match*. If it matches, it just uses the key the client sent.
Which means if IOS does no pubkey packet length validation, you no longer need to generate a keypair that has a pubkey that collides on MD5. You just need a blob that collides with that hash, and will *truncate* to a key you control. Which is much easier to collide.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/IUQM7XIN...