On Wed, 11 Oct 2006 23:57:45 +0300 "Roman Kyrylych" <roman.kyrylych@gmail.com> wrote:
Hi!
2006/10/11, Jason Chu <jason@archlinux.org>:
On Wed, 11 Oct 2006 10:57:53 -0500 "Aaron Griffin" <aaronmgriffin@gmail.com> wrote:
b) I don't feel that anything is gained from using sha1sums. md5 is the defacto file integrity check. We're not using md5 as a cryptographic algorithm, we're checking file integrity
I talked to Judd about this one. I'd noticed it while at LinuxTag a couple years back...
While, on the surface we use md5sums to check file integrity, during building we use it to verify that two downloads (at different time periods) are the same. In this situation, it's possible to craft a malicious tarball that matches the md5sum but has a different payload.
Yes, there were few security papers posted about MD5 collisions and how to use them.
Most of the ones I've seen talked about creating md5 collisions between two files, not creating a file with the same md5 as another file (there's a distinction).
JGC was the one who suggested we use md5sums and sha1sums together because it's much more difficult to craft something malicious that matches both of them. I wrote a patch for makepkg a long time ago, but Judd didn't accept it because sha1sums were a lot longer and looked ugly in a PKGBUILD.
Mmm... I don't think that using md5sum & sha1sum at the same time will make things more secure. md5sum will not matters in that case, because security will depend on the strongest part in such case, which is, obviously, sha1sum.
It's not about one over the other. It's the fact that you don't just have to find a sha1 collision or an md5 collision, but you have to find a sha1 collision *and* an md5 collision with a single file. If you find a sha1 collision without an md5 collision, changing the file to create an md5 collision will make them not match sha1 hashes anymore. It makes it much more computationally difficult.
I propose to use SHA-512 instead which is basically a stronger version of SHA1.
I don't have experience with many things other than md5 and sha1.
I have much practical experience and theoretical knowledge to say that this will be the best choice in terms of both security and simplicity of implementation.
I don't know how telling us you have experience helps you convince us... I do agree that having one hash over two is more simple. I don't necessarily agree that it's more secure. Jason