[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)



[Christoph Anton Mitterer]
> Wouldn't it make sense to start discussions about moving to the
> "strongest" possible?

No.  What makes sense is to use a hash that has the properties that are
needed for a particular application.

To use your example of dpkg file checksums, their purpose has _nothing_
to do with security.  They cannot protect against a malicious attacker,
because an attacker who can corrupt /usr/bin/lsof can also corrupt
/var/lib/dpkg/info/lsof.md5sums.  (And /var cannot be read-only as /usr
sometimes is.)  If you need protection against a malicious attacker,
you need to generate and store your checksums in some other way.[1]

    [1] Check out 'apt-cache search tripwire' for various ways to
    reinvent that wheel.  tripwire was an early implementation of this
    idea, so it is mentioned in other package descriptions.

Rather, the checksums are for integrity checking in the face of disk
corruption or administrative snafu.  Basically to answer the question
"Would it help to reinstall this package?"  MD5 is perfectly well
suited for that.  The presence of the md5sums file in control.tar.gz is
just a convenience so that end systems don't have to calculate it at
install time, much like providing .pyc or .elc files in a .deb (which
we don't do, but we could).

My point is not to pick on your specific example, but to suggest
actually _thinking_ about what a hash is used for, as opposed to the
common knee-jerk reaction "oooh, MD5 is weak, it must be replaced!"
every time someone sees MD5.  (Or SHA-1.)

Peter


Reply to: