Bug#423902: apt should use both md5 and sha1

To: Thomas Geyer <geyerth@googlemail.com>
Cc: 423902@bugs.debian.org
Subject: Bug#423902: apt should use both md5 and sha1
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 8 Jun 2007 19:20:27 +0100
Message-id: <[🔎] 20070608182027.GA13642@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 423902@bugs.debian.org
In-reply-to: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
References: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>

On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> Package: apt
> Version: 0.6.46.4
> Severity: wishlist
> 
> 
> Collisions for md5 and sha1 were found allready,
> so it's likely, that in the nearer future one of them alone won't be
> safe enough.
> 
> Since it is harder to find collisions for two checksums than for one,
> apt should use both of them at the same time for verifying packages.

This demonstrates a common misconception about hash algorithm, I'm
afraid. Search for "multicollisions" to find papers debunking the
usefulness of this technique. In short, concatenating MD5 and SHA1 adds
approximately six bits of security over using SHA1 alone, which is
unlikely to be worth the computational effort of doing so.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Prev by Date: Bug#427909: apt: should honor 3?? (301, 302 - moved) HTTP return codes
Next by Date: Bug#319339: [patch] bug is still present in Debian Etch and disables announced functionality
Previous by thread: Bug#427909: apt: should honor 3?? (301, 302 - moved) HTTP return codes
Next by thread: Bug#423902: apt should use both md5 and sha1
Index(es):
- Date
- Thread