[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

On Fri, Aug 2, 2013 at 8:57 PM, David Kalnischkies <kalnischkies@gmail.com> wrote:
On Fri, Aug 2, 2013 at 6:33 PM, Ondřej Surý <ondrej@sury.org> wrote:
> On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise <pabs@debian.org> wrote:
> So, yeah let's drop MD5, but don't introduce neither SHA512 nor SHA-3
> unless there's a cryptographical need (there isn't at the moment).

Actually, it might be less controversial to drop SHA1[0] as the MD5 has
fieldnames (as Guillem already mentioned) which are probably assumed
to be present. I have not check(-ETIME) that for APT now, but somehow
I would be surprised if it wouldn't dislike (some) missing MD5 sections
even if it isn't using the sections for providing MD5, but because they have
a wonderfully stable name like "Files".

Its not like we are anywhere near to a "cryptographical need" to drop MD5
(as you have to do (at least) two pre-image attacks in a row with the same
 file (aka compressed and uncompressed) – and as a bonus, the filesize has
 to match as well – not to mention that the file has to make sense…) and
at the time we do SHA1 is probably not an interesting candidate.

[IANACryptoguy] As far as I understand the MD5 attacks the length doesn't
matter. You just need to pick the package big enough to hold your evil content
and the "filling" which you use to compute the same MD5 (e.g. collision
vulnerability). I think that the lengths of the files do not add enough bits.

As for compressed/uncompressed - again I am unsure if this adds enough bits
to circumvent the attacks on MD5. In my simplistic view - if you can find a collision
in digital certificate then I am quite sure you can find a collision in debian package.

I would not rely on MD5 with anything, so the dropping of MD5 for good (together
with SHA-1) might be a good release goal.

Ondřej Surý <ondrej@sury.org>

Reply to: