[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

* Anthony Towns:

> On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote:
>> * Anthony Towns:
>> > (I'm amazed the security "crisis" we're having is about deb sigs
>> > *again*, when we're still relying on md5sum which has a public exploit
>> > available now...)
>> These exploits are irrelevant as far as the Debian archive is
>> concerned.  (And that's not because hardly any sarge user verifies the
>> MD5 hashes, by the way. 8-)

(I meant that the signature on a hash of those hashes is not

> Uh. You're seriously putting your reputation on that claim?

Yes.  To attack the Debian archive, you need to carry out a preimage
attack.  Nothing in that direction has been published so far.

For the "exploits" we have seen so far to work, the malicious party
needs upload access to the archive and has to plant a specially
crafted package there, for which they have created an evil twin
package.  (Same for attacking one of the text files listing hashes.)
Looks a bit far-fatched to me.

>> Moving away from MD5 is certainly not a bad idea, but it's not clear
>> whether the alternatives are any better.  Sure, everyone recommends
>> SHA-256 at this stage, but nobody can give a rationale.
> MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or
> higher) are significantly harder to break in practice,

So?  If SHA256 is so much better, why is that nobody can prove it, or
at least can provide some evidence which supports that claim?  "The
numbers are bigger" is the main argument at this point, which is
awfully similar to the usual snake-oil arguments (although there is a
slight difference, of course).

On the other hand, the cost of adding another hash function is not
that high for Debian, compared to other deployments.  Adding SHA256
and RSHA a few months (hopefully, years) later doesn't really hurt
that much, I guess.

> and there's nothing better yet.

In terms of security, there are some better hash functions.  But those
are academic designs, most of them based on big integer arithmetic
instead of bit fiddling.  Currently, nobody seems to be willing to pay
the price that comes with them.

Reply to: