Re: dpkg-sig support wanted?

To: debian-devel@lists.debian.org
Subject: Re: dpkg-sig support wanted?
From: Henning Makholm <henning@makholm.net>
Date: Mon, 28 Nov 2005 22:15:34 +0100
Message-id: <[🔎] 877jaso4nd.fsf@kreon.lan.henning.makholm.net>
References: <[🔎] 20051125231302.GD21979@cyan.localnet> <[🔎] 20051125234624.GA13795@uio.no> <[🔎] 20051126050831.GX3063@p12n.org> <[🔎] 87br07fvmh.fsf@kreon.lan.henning.makholm.net> <[🔎] 874q5z3795.fsf@mid.deneb.enyo.de> <[🔎] 87u0dzeekh.fsf@kreon.lan.henning.makholm.net> <[🔎] 87oe47zazc.fsf@mid.deneb.enyo.de> <[🔎] 87veyfosj1.fsf@kreon.lan.henning.makholm.net> <[🔎] 20051127051027.GB3063@p12n.org> <[🔎] 20051128090722.GA29959@cyan.localnet> <[🔎] 20051128180933.GD3063@p12n.org>

Scripsit Peter Samuelson <peter@p12n.org>

> For large files, getting a cryptographic checksum is more about reading
> blocks off the disk than about CPU time.  So it wouldn't be completely
> ridiculous to allow sha-1 to remain ambiguous with competing 160-bit
> hashes, and have --check check for all of them (reading the file only
> once).

That sounds cryptographically unsafe. It would mean that a practical
preimage attack against _any_ of the supported hashes would break the
entire system. That's not the kind of algorithm agility we need.

> I still think two-byte prefixes for non-md5-non-sha1 hashes makes some
> sense, like s- for sha-256.

That is much better. But let's use "s." as a prefix and do a
[/+] -> [_-] substitution on the following base64 data. The dot
in the prefix will prevent the prefix from being mistaken as part of a
slightly larger non-tagged hash value.

>>   $ dsum -a sha1 foo; sha1sum foo
>>   f572d396fae9206628714fb2ce00f72e94f2258f  foo
>>   f572d396fae9206628714fb2ce00f72e94f2258f  foo

There appears to be to few characters of hash there, at least unless
it is a cosmically weird coincidence that it base64 encodes to all hex
digits. :-)

I would expect something like

$ dsum -a sha1 COPYING; sha1sum COPYING
s.w4runjyMTV1ZT_VIob4FRTAjAW1ihpMfZRLbIV7B_UI  COPYING
s.w4runjyMTV1ZT_VIob4FRTAjAW1ihpMfZRLbIV7B_UI  COPYING
$ dsum -a sha1 -a md5 COPYING
s.w4runjyMTV1ZT_VIob4FRTAjAW1ihpMfZRLbIV7B_UI  COPYING
4325afd396febcb659c36b49533135d4  COPYING
$ echo moooooooo | sha1sum -
s.-tUTs04N4IxBOtWpdoIXt1b0qgHIgNm9IC_OgYjm-mU  -

-- 
Henning Makholm            "But I am a Sunni Muslim," the bemused Arab said.

Reply to:

Follow-Ups:
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>

References:
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
- Re: dpkg-sig support wanted?
  - From: Peter Samuelson <peter@p12n.org>
- Re: dpkg-sig support wanted?
  - From: Henning Makholm <henning@makholm.net>
- Re: dpkg-sig support wanted?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: dpkg-sig support wanted?
  - From: Henning Makholm <henning@makholm.net>
- Re: dpkg-sig support wanted?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: dpkg-sig support wanted?
  - From: Henning Makholm <henning@makholm.net>
- Re: dpkg-sig support wanted?
  - From: Peter Samuelson <peter@p12n.org>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: Peter Samuelson <peter@p12n.org>

Prev by Date: NOW !! Al haramain Sermons Makkah & Madina
Next by Date: Re: Bug#341127: ITP: libformvalidator-simple-perl -- validation with simple chains of constraints
Previous by thread: Re: dpkg-sig support wanted?
Next by thread: Re: dpkg-sig support wanted?
Index(es):
- Date
- Thread