Re: dpkg-sig support wanted?
On Sat, Nov 26, 2005 at 09:13:02AM +1000, Anthony Towns wrote:
>> Moving away from MD5 is certainly not a bad idea, but it's not clear
>> whether the alternatives are any better. Sure, everyone recommends
>> SHA-256 at this stage, but nobody can give a rationale.
> MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or
> higher) are significantly harder to break in practice, and there's
> nothing better yet.
Just a comment here for those who are not used to hash functions: "Broken"
here means that you can generate collisions faster than using the birthday
attack (2^64 for MD5, 2^80 for SHA-1). It does not have to mean that you
can do _really_ evil stuff, like generate a second file with the same MD5
hash as a given file (so-called "second preimage", IIRC) and to the best of
my knowledge, nobody has done so yet).
However, there's a long way from "you can't generate a valid .deb with a
given md5sum easily" to "SHA-256 is no better than MD5". You can generate
an MD5 collision in four hours on a standard desktop computer today; you're
nowhere near that for SHA-1, and SHA-256 is still AFAIK not broken (although
it relies on the same basic structure as MD5 and SHA-1). All three might
eventually be truly broken, but you can bet that MD5 will be the first to
go. If you use SHA-256 today instead of MD5, you probably buy yourself a
few extra years, which you can use to smooth out the transition to the next
hash function when the world advances.
/* Steinar */