[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

On 12/10/12 12:10, David Kalnischkies wrote:
> I wonder if it is really a good idea to search for a security checksum
> based on the metric that it can be quickly calculated … but off-topic.

It depends what you're using it for: security is not magic pixie dust. A
hashing algorithm that is faster and equally collision-resistant is
better for integrity-checking (faster and no less secure), but worse for
password hashing (an attacker can try potential passwords faster).

>> Anyway... I guess it was clear, that I rather meant secure APT... dsc
>> files, Release.gpg, etc. pp.
> APT will usually negotiate the checksum to use based on what it supports
> and what is included in the Release file.

Another relevant hashing algorithm is the one that GnuPG (as used by the
ftpmasters) uses to generate the signature for InRelease and
Release.gpg. For wheezy-as-testing, InRelease appears to be signed with
(RSA +) SHA1, which is the GnuPG default. In principle the ftpmasters
could configure gpg to sign with SHA256 (or even SHA512) in future,
assuming stable's gnupg (and preferably also oldstable's gnupg) can
verify such signatures.

squeeze's gnupg does seem to support the SHA-2 set of hashes (SHA224 up
to SHA512).

> Oh, and there is "Description-md5". I can't imagine a scenario in which it
> would be useful to change the English description of a package for an attack

This doesn't seem to matter, even if the descriptions were
security-sensitive. The signed file (In)Release(.gpg) contains MD5,
SHA1, SHA256 hashes of both Packages and Translation-*, so you can be
sure that nobody has modified Packages or Translation-* since they left
dak; and anyone who could cause dak to incorporate maliciously-colliding
descriptions (a DD or DM with upload privileges) could do more damage by
uploading a malicious .deb instead.


Reply to: