[pacman-dev] md5sum's aren't used as cryptographic algorithm? (was: $ARCH suffix on packages)

Jason Chu jason at archlinux.org
Wed Oct 11 17:47:30 EDT 2006

On Wed, 11 Oct 2006 23:57:45 +0300
"Roman Kyrylych" <roman.kyrylych at gmail.com> wrote:

> Hi!
> 2006/10/11, Jason Chu <jason at archlinux.org>:
> > On Wed, 11 Oct 2006 10:57:53 -0500
> > "Aaron Griffin" <aaronmgriffin at gmail.com> wrote:
> >
> > > b) I don't feel that anything is gained from using sha1sums.  md5
> > > is the defacto file integrity check.  We're not using md5 as a
> > > cryptographic algorithm, we're checking file integrity
> >
> > I talked to Judd about this one.  I'd noticed it while at LinuxTag a
> > couple years back...
> >
> > While, on the surface we use md5sums to check file integrity, during
> > building we use it to verify that two downloads (at different time
> > periods) are the same. In this situation, it's possible to craft a
> > malicious tarball that matches the md5sum but has a different
> > payload.
> Yes, there were few security papers posted about MD5 collisions and
> how to use them.

Most of the ones I've seen talked about creating md5 collisions between
two files, not creating a file with the same md5 as another file
(there's a distinction).

> > JGC was the one who suggested we use md5sums and sha1sums together
> > because it's much more difficult to craft something malicious that
> > matches both of them.  I wrote a patch for makepkg a long time ago,
> > but Judd didn't accept it because sha1sums were a lot longer and
> > looked ugly in a PKGBUILD.
> Mmm... I don't think that using md5sum & sha1sum at the same time will
> make things more secure. md5sum will not matters in that case, because
> security will depend on the strongest part in such case, which is,
> obviously, sha1sum.

It's not about one over the other.  It's the fact that you don't just
have to find a sha1 collision or an md5 collision, but you have to find
a sha1 collision *and* an md5 collision with a single file.

If you find a sha1 collision without an md5 collision, changing the
file to create an md5 collision will make them not match sha1 hashes
anymore.  It makes it much more computationally difficult.  

> I propose to use SHA-512 instead which is basically a stronger
> version of SHA1.

I don't have experience with many things other than md5 and sha1.

> I have much practical experience and theoretical knowledge to say that
> this will be the best choice in terms of both security and simplicity
> of implementation.

I don't know how telling us you have experience helps you convince us...

I do agree that having one hash over two is more simple.  I don't
necessarily agree that it's more secure.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/pacman-dev/attachments/20061011/47035bb6/attachment.pgp>

More information about the pacman-dev mailing list