[pacman-dev] md5sum's aren't used as cryptographic algorithm? (was: $ARCH suffix on packages)
Jason Chu
jason at archlinux.org
Wed Oct 11 17:47:30 EDT 2006
On Wed, 11 Oct 2006 23:57:45 +0300
"Roman Kyrylych" <roman.kyrylych at gmail.com> wrote:
> Hi!
>
> 2006/10/11, Jason Chu <jason at archlinux.org>:
> > On Wed, 11 Oct 2006 10:57:53 -0500
> > "Aaron Griffin" <aaronmgriffin at gmail.com> wrote:
> >
> > > b) I don't feel that anything is gained from using sha1sums. md5
> > > is the defacto file integrity check. We're not using md5 as a
> > > cryptographic algorithm, we're checking file integrity
> >
> > I talked to Judd about this one. I'd noticed it while at LinuxTag a
> > couple years back...
> >
> > While, on the surface we use md5sums to check file integrity, during
> > building we use it to verify that two downloads (at different time
> > periods) are the same. In this situation, it's possible to craft a
> > malicious tarball that matches the md5sum but has a different
> > payload.
>
> Yes, there were few security papers posted about MD5 collisions and
> how to use them.
Most of the ones I've seen talked about creating md5 collisions between
two files, not creating a file with the same md5 as another file
(there's a distinction).
> > JGC was the one who suggested we use md5sums and sha1sums together
> > because it's much more difficult to craft something malicious that
> > matches both of them. I wrote a patch for makepkg a long time ago,
> > but Judd didn't accept it because sha1sums were a lot longer and
> > looked ugly in a PKGBUILD.
>
> Mmm... I don't think that using md5sum & sha1sum at the same time will
> make things more secure. md5sum will not matters in that case, because
> security will depend on the strongest part in such case, which is,
> obviously, sha1sum.
It's not about one over the other. It's the fact that you don't just
have to find a sha1 collision or an md5 collision, but you have to find
a sha1 collision *and* an md5 collision with a single file.
If you find a sha1 collision without an md5 collision, changing the
file to create an md5 collision will make them not match sha1 hashes
anymore. It makes it much more computationally difficult.
> I propose to use SHA-512 instead which is basically a stronger
> version of SHA1.
I don't have experience with many things other than md5 and sha1.
> I have much practical experience and theoretical knowledge to say that
> this will be the best choice in terms of both security and simplicity
> of implementation.
I don't know how telling us you have experience helps you convince us...
I do agree that having one hash over two is more simple. I don't
necessarily agree that it's more secure.
Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/pacman-dev/attachments/20061011/47035bb6/attachment.pgp>
More information about the pacman-dev
mailing list