You are not logged in.
--MD5 Hashing Algorithm Flawed
(28 January 2005)
Security researchers are warning that the MD5 hashing algorithm, which
is used by two of the three major content addressed storage system
vendors, is flawed. MD5 has reportedly been decertified for secure
operations by NIST since at least 1998.
http://www.computerworld.com/printthis/ … 31,00.html
[Editor's Note (Tan): So far the MD5 collision is only on two 1024-bit
messages (http://eprint.iacr.org/2004/199.pdf), but this is sufficient
to prove that it is not 100% reliable. It will be good to start
considering using a larger hash function. In fact, NIST plans to phase
out SHA-1 in favor of SHA-224, SHA-256, SHA-384 and SHA-512 by 2010
(http://csrc.nist.gov/hash_standards_comments.pdf).
(Schneier): As the article says, the idea that there are flaws in MD5
is nothing new. It really is time and past for vendors to stop using
it.]
from: SANS NewsBites--Feb. 2, 2005--Vol. 7, Num. 5
I realize that I am Mr. Security-Nutcase-stickler-uptight, but I think arch should move away from md5 towards SHA-256. md5 has been known to not be cryptographically secure for some time now. I think steps should be taken for migration...
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
We don't use MD5 sums for security integrity though. We use them for make-sure-your-download-isn't-corrupt integrity.
If someone can get on to the master server to create a malicious package, then they can just as easily update the MD5sums in the db while they're at it, bypassing any sort of hash collision exploits, anyway.
Offline
well, it would be VERY unlikely, but it would be theoretically possible for a download to be corrupted, and still yeild the same md5..hence a collision.
I stress that the likelihood of this is oh so very small, so indeed it might not be worth worrying about.
How difficult would it be to move to using sha-256 for pacman during the move to libidization? I suppose it would involve a great deal of reworking of too many things to be imminently feasable.
thanks for the quick response.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Hmmm... I know that you can change password encryption from MD5 to Blowfish in BSD...
Can that be done in Linux? Or, better yet, can it be changed to Twofish?
Offline
I believe you can use blowfish..
you have to modify pam config files in /etc/pam.d/
I don't know offhand how to do it though..
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Ah thanks.
Anything on Twofish...?
Offline
dunno. I honestly don't know much about pam, other than simple things.
Someone could concievable write their own pam module to use whatever they wanted....thus the beauty of pam.
I don't know if someone has or not already though.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
If Arch were to move away from MD5 and towards something more secure, I'd say pacman should support both for awhile. It could be mandated that all new packages should use the new algorithm but for compatiblity reasons MD5 should be left. So, as new packages make their way into the repos the transition would be seamless to the user. This is the only way I could see this change as possible due to the massive number of PKGBUILDs that would need to be changed.
Offline
(eliott@hermes ~)$ pacman -Ss | grep -E "current/|extra/" | wc -l
1753
yeah, that is more than 1 or two..
but. If the move is ever going to take place, waiting will only make it worse.
If not, then I guess it doesn't matter much.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
If Arch were to move away from MD5 and towards something more secure, I'd say pacman should support both for awhile. It could be mandated that all new packages should use the new algorithm but for compatiblity reasons MD5 should be left. So, as new packages make their way into the repos the transition would be seamless to the user. This is the only way I could see this change as possible due to the massive number of PKGBUILDs that would need to be changed.
The md5sums are stored in the database, not the package. The whole database is updated every time we do any update, so really things would happen all in one swell foop. The only problem would be if people -S'd but didn't -Sy after it happened.
I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal
Offline
I think he was referring to the md5 array field in the pkgbuilds.
It would likely take some time to convert all the md5sums in the pkgbuilds to sha-256 (or whatever).
There is something on the order of 1800 packages in extra and current that would need to have their abs pkgbuilds updated..
not a fun task to say the least..
Although, I suppose it could be automated. It wouldn't be too hard, theoretically, to have write a script in ruby, python, or perl, to go into every directory in the abs tree, download the required packages, compute the new hash, and update the pkgbuilds..
Still, it would be a pain to write the damn thing in the first place..
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Ah thanks.
Anything on Twofish...?
found interesting stuff in /etc/default/passwd
also /etc/security/pam_unix2.conf
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Thanks.
Offline
well, it would be VERY unlikely, but it would be theoretically possible for a download to be corrupted, and still yeild the same md5..hence a collision.
A package file has a length of lots thousands or millions of any ascii chars. We have unimaginable number of possibilities.
Any operation that you do that outputs a lots of times shorter string has to match millions of possibilities that return the same value. SHA-256 will reduce the possibility of corruption only if its output is longer than MD5SUM.
Offline
extra length does not necessarily ensure a better hash.
Hashing algorithms are big voodoo, lots of "tricks" to try to chop down to the bits specified.
Anyway, back to your statement. md5 outputs a 128 bit hash result. sha1 outputs a 160 bit result. md5 has been shown to have collisions. sha1 has so far not (the full 80 round version. A simplified 30 round version was shown to have some weakness).
Sha1 can address...
*counts on fingers*
2^160..
according to the "birthday" algorithm (heh..that is the only way I can remember it) you would only need approx 2^80 to find a collision (half the address space).
sha-256 is of course, a 256 bit outputting hash.
So with sha-256 (if it is "secure", and so far it appears to be so), you would need..
2^128...aka a big damn number.
That is, of course, if you are simply doing exhaustive searches for collisions. I believe there was some issue with md5, some trick if you will, that allowed them to theoretically reduce the address space further than 2^64.
But, as I said, this is likely a non-issue for a couple more years. Still, it would be nice to be the first distro to move off of md5, because eventually, everyone will have to do so.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Switching away from MD5 in the PKGBUILDs would force me to download a file from the gnome FTP, check it with md5 with the provided md5sums on the FTP to make sure it is right, then generate an SSHA key and put it in the PKGBUILD... far too much work. I think I'm one of the only maintainers that doesn't md5sum by hand, but copies them from the website if available.
md5sum could be weak because of likely collisions, but it's strong enough for our use. I have never seen any package that downloads corrupt, but shows "ok" in pacman. Also, if a download has been corrupted so far that pacman says it's okay because MD5 is correct, I don't think it's a valid tarball pacman can parse then.
Offline
the chances of collisions are low, but are inevitable in anything
im shortening a 10000 character ascii document. you can do the math, there
millions, billions of different possibilities of what could be in that file.
Do you really think its possible to have a unique 32 characters combination for each of those millions of possibilities? Now add a pile of files with 10001 characters, do you think there's unique 32 character combinations for all of them too?
Same applies for sha.
Besides afaik, SHA and MD5 are hashing methods, not encryption algorithms. You cant encrypt a file to md5 and then decrypt it.
MD5 does an admirable job at what it does.... have you ever come across a clash? And more importantly, a clash that will affect you? ie a downloaded package that has corrupted, but miraculously kept the same MD5 sum?
Nope!
iphitus
ps: if you answered yes to the last question, please give me the next few month's lotto numbers.
Offline
Did you even read my posts?
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
@iphitus:
Calculate 2^128, and tell me when you're done writing the number on a sheet of paper..
How many different possibilities are this?
Of course, i won't say sha-256 will last for ever... though, it's more reliable than md5.
I think we know that md5, sha are hashing algorithms. Though, we didn't want to decrypt them again. It's about to find "collisions" -> when do we get the same hash for two different things.
Write a small program trying to find the same hash of md5 for a different word .. you'll be suprised.
Think on passwords... we used to calculate how long does it take to find the one right word as a password. How about if there are more words, giving access?
// STi
Ability is nothing without opportunity.
Offline
http://www.fcw.com/fcw/articles/2005/02 … -07-05.asp
Burr said other widely used hash functions such as MD5 are vulnerable to attack and their use should be discontinued. "If by some chance you are still using MD5 in certificates or for digital signatures, you should stop," he said.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
MD5 for security and MD5 for integrity are two different things.
With an active attacker looking for a collision, MD5 may not be a suitable defence, but when you're making sure the file you downloaded is the same one as the one on the server md5 should be good for a while.
Why? Because hash algorithms are designed to have widely different results when there are a few small changes. If you change 1 bit in a file, most likely it's hash will be completely different. The randomness in the distribution of hashes is a good measure of how well a hash algorithm works for intergrity checking.
Stated another way, if your download comes down so widely different that you run into a hash space collision, the least of your worries is the package.
I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal
Offline
it's very unlikely that someone should be able to make a working code of the same md5sum as another file,
the problem with arch is that md5sums isn't encrypted by the packagemaintainers, I think it has been brought up before but i just mention it again here, sha-256 is still useless if it's not encrypted also,
arch + gentoo + initng + python = enlisy
Offline
the problem with arch is that md5sums isn't encrypted by the packagemaintainers, I think it has been brought up before but i just mention it again here, sha-256 is still useless if it's not encrypted also,
Well, useless in the sense that you cannot generate a valid digital signature from it, but it is still useful for what it was intented for...representing an arbitrarily long number (software program) as a finite small number (hash). Different goals.
I still think that arch should switch to a better hash algorithm, and use digital signatures to ensure that "official" packages in the repositories are not messed with, but I realize the overhead to make such a change, both in human time and machine time, are not insignificant.
I will just go to my corner now and chew on my lip.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
I will just go to my corner now and chew on my lip.
That's ironic. I'm currently "biting my tongue", since this MD5 stuff is every bit cryptic and baffling to me as calling the people who handle my investments a "Broker", yet I continually trust them with my money...
Offline
guess I have taken too many crypto courses for my own good. The more you know, the more paranoid you become. :?
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline