Re: dpkg-sig support wanted?

To: debian-devel@lists.debian.org
Subject: Re: dpkg-sig support wanted?
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Tue, 29 Nov 2005 14:08:45 +0100
Message-id: <[🔎] 871x0zsisi.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] 20051125234624.GA13795@uio.no> (Steinar H. Gunderson's message of "Sat, 26 Nov 2005 00:46:24 +0100")
References: <[🔎] 877jb0iswl.fsf@nahar.marcbrockschmidt.de> <[🔎] 87fypntzzo.fsf@mid.deneb.enyo.de> <[🔎] 20051123160817.GB13417@cyan.localnet> <[🔎] 20051123220920.GD5414@hezmatt.org> <[🔎] 20051124023037.GE15019@cyan.localnet> <[🔎] 20051124131345.GE17550@khazad-dum.debian.net> <[🔎] 20051125025707.GD19298@cyan.localnet> <[🔎] 87wtiwh7tv.fsf@mid.deneb.enyo.de> <[🔎] 20051125231302.GD21979@cyan.localnet> <[🔎] 20051125234624.GA13795@uio.no>

"Steinar H. Gunderson" <sgunderson@bigfoot.com> writes:

> On Sat, Nov 26, 2005 at 09:13:02AM +1000, Anthony Towns wrote:
>>> Moving away from MD5 is certainly not a bad idea, but it's not clear
>>> whether the alternatives are any better.  Sure, everyone recommends
>>> SHA-256 at this stage, but nobody can give a rationale.
>> MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or
>> higher) are significantly harder to break in practice, and there's
>> nothing better yet.
>
> Just a comment here for those who are not used to hash functions: "Broken"
> here means that you can generate collisions faster than using the birthday
> attack (2^64 for MD5, 2^80 for SHA-1). It does not have to mean that you
> can do _really_ evil stuff, like generate a second file with the same MD5
> hash as a given file (so-called "second preimage", IIRC) and to the best of
> my knowledge, nobody has done so yet).

According to slashdot articles you can generate human readable files
(like the Packages file) with md5sum collision in ~45minutes on a
modern cpu now.

I think that counts as broken. Luckily for us we also have the size of
the file.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: dpkg-sig support wanted?
  - From: Jochen Voss <voss@seehuhn.de>

References:
- dpkg-sig support wanted?
  - From: Marc 'HE' Brockschmidt <he@debian.org>
- Re: dpkg-sig support wanted?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: Matthew Palmer <mpalmer@debian.org>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Prev by Date: Re: Secret changes for binNMUs
Next by Date: Re: dpkg-sig support wanted?
Previous by thread: Re: dpkg-sig support wanted?
Next by thread: Re: dpkg-sig support wanted?
Index(es):
- Date
- Thread