Re: Let's shrink Packages.xz

To: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: Re: Let's shrink Packages.xz
From: Dimitri John Ledkov <xnox@debian.org>
Date: Tue, 15 Jul 2014 00:26:14 +0100
Message-id: <[🔎] CANBHLUhxYLy1RN+fwP12i3ZoxHfCeNVdOAKXn+kAiDweh3rTrg@mail.gmail.com>
In-reply-to: <[🔎] 20140714195728.GB5939@khazad-dum.debian.net>
References: <[🔎] 20140714162547.GA3601@jwilk.net> <[🔎] CANGancvGugOFC2op=y7TZPH2jfdFq0GahnMVOfi+j2N=qtyffQ@mail.gmail.com> <[🔎] 87lhrv3jfq.fsf@windlord.stanford.edu> <[🔎] 20140714182533.GK626@anguilla.noreply.org> <[🔎] 20140714191714.GA4199@jwilk.net> <[🔎] 20140714195728.GB5939@khazad-dum.debian.net>

On 14 July 2014 20:57, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> On Mon, 14 Jul 2014, Jakub Wilk wrote:
>> * Peter Palfrader <weasel@debian.org>, 2014-07-14, 20:25:
>> >>The basic idea is that it's much harder to come up with a
>> >>simultaneoush hash collision with both SHA-1 and SHA-2 than
>> >>breaking either of them independently.
>> >
>> >ISTR reading papers that put this "much harder" into doubt.  But I
>> >can't find those references, alas.
>>
>> You might have had this paper in mind:
>> https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf
>> Quoting §4: “If F and G are good iterated hash functions with no
>> attack better than the generic birthday paradox attack, we claim
>> that the hash function F||G obtained by concatenating F and G is not
>> really more secure that F or G by itself.”
>
> We don't want F|G to be more secure than F or G by itself.  We want it to be
> at least as secure as the stronger of F or G.
>
> Which means it continues being secure if one of G or F, but not both, is
> "compromised".
>

Huh, I'm not quite sure that multiple hashes actually gain us anything
at all in terms of compromisation, since ultimately all our archive
metadata is protected by a single hash only.

Whilst replacing individual files & simultaneously matching multiple
hash algorithms, is an interesting problem. It's much more interesting
to match SHA256 of Release file such that Release.gpg validates, then
you can replace /all/ files with valid checksums across the board. Or
otherwise generate/break the archive signing key.

So RSA 4096 key and SHA256 signature is what ultimately secures our
current archive, all other hashes in the Packages file are there
merely to assert that it's the right binary that is signed and that
one downloaded it correctly.

Thus can we please drop MD5 & SHA1 hashes? Anything that can't
validate SHA256, can't validate Release.gpg/InRelease and is thus
insecure.

$ gpg -v --verify Release.gpg Release
gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
gpg: Signature made Mon 14 Jul 2014 10:02:39 PM BST using RSA key ID 46925553
gpg: using PGP trust model
gpg: Good signature from "Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmaster@debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
gpg: binary signature, digest algorithm SHA256

-- 
Regards,

Dimitri.

Reply to:

Follow-Ups:
- Re: Let's shrink Packages.xz
  - From: Russ Allbery <rra@debian.org>

References:
- Let's shrink Packages.xz
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Let's shrink Packages.xz
  - From: ابراهیم محمدی <mebrahim@gmail.com>
- Re: Let's shrink Packages.xz
  - From: Russ Allbery <rra@debian.org>
- Re: Let's shrink Packages.xz
  - From: Peter Palfrader <weasel@debian.org>
- Re: Let's shrink Packages.xz
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Let's shrink Packages.xz
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Bug#754847: ITP: golang-nfnt-resize -- Image resizing library for Go
Next by Date: Re: Let's shrink Packages.xz
Previous by thread: Re: Let's shrink Packages.xz
Next by thread: Re: Let's shrink Packages.xz
Index(es):
- Date
- Thread