Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

[Ondřej Surý <ondrej@sury.org>]

On Fri, Aug 2, 2013 at 8:57 PM, David Kalnischkies <kalnischkies@gmail.com> wrote:

On Fri, Aug 2, 2013 at 6:33 PM, Ondřej Surý <ondrej@sury.org> wrote:
> On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise <pabs@debian.org> wrote:

> So, yeah let's drop MD5, but don't introduce neither SHA512 nor SHA-3
> unless there's a cryptographical need (there isn't at the moment).

Actually, it might be less controversial to drop SHA1[0] as the MD5 has
fieldnames (as Guillem already mentioned) which are probably assumed
to be present. I have not check(-ETIME) that for APT now, but somehow
I would be surprised if it wouldn't dislike (some) missing MD5 sections
even if it isn't using the sections for providing MD5, but because they have
a wonderfully stable name like "Files".

Its not like we are anywhere near to a "cryptographical need" to drop MD5
(as you have to do (at least) two pre-image attacks in a row with the same
 file (aka compressed and uncompressed) – and as a bonus, the filesize has
 to match as well – not to mention that the file has to make sense…) and
at the time we do SHA1 is probably not an interesting candidate.

[IANACryptoguy] As far as I understand the MD5 attacks the length doesn't

matter. You just need to pick the package big enough to hold your evil content

and the "filling" which you use to compute the same MD5 (e.g. collision

vulnerability). I think that the lengths of the files do not add enough bits.

As for compressed/uncompressed - again I am unsure if this adds enough bits

to circumvent the attacks on MD5. In my simplistic view - if you can find a collision

in digital certificate then I am quite sure you can find a collision in debian package.

I would not rely on MD5 with anything, so the dropping of MD5 for good (together

with SHA-1) might be a good release goal.

O.
--
Ondřej Surý <ondrej@sury.org>