will lunar switch from md5sum's

Auke Kok sofar at lunar-linux.org
Thu Aug 19 15:21:40 GMT 2004


I think your point of perspective is slightly off and would like to stress:

- lunar will try to follow current known standards for verification of
integrity.

- Replacing the md5 hashes with sha1 would be trivial and the code could
be whipped up in about 2 minutes (nevertheless it needs to be done and
verified that it works even if sha1sum is not available for instance)

That said you can conclude that if more and more people/distros/oss
projects move away from md5 to other hashes (or better hash algorithms
that show more randomness, the md5 collisions apparently have a very close
distance) then lunar will too, and rapidly.

perhaps a good time to start using gpg verification? maybe...

sofar





> Hendrik Visage wrote:
>> To understand the ultimate risk, you'll have to understand the ease of
>> generating a valid piece of code, still the same exact lenght as the
>> original,
>> and *that* to have the same hash value. Yes, these research papers
>> showed it
>> easier than we expected, but still they haven't shown it possible with
>> multi megabyte files compressed files to be able to exploit the system
>> and
>> inject/remove valuable code.
>
> Someone could theoretically remove certain files, such as docs, man
> pages, readme's, or even code comments and have plenty of room to insert
> a trojan that polls a website for more stuff to infect the system with.
>
>> The risk is still not so big to worry about it if it's done properly,
>> ie.
>> you do the hash on the compressed data, and not the source code, as you
>> add
>> an extra layer of complexity, as the cracker needs to know find a valid
>> gzip/bzip2 file that have a hash collision with the original, *and* that
>> have
>> a valid source code that have a backdoor in it. Not impossible, but in
>> my
>> opinion much less likely.
>
> Someone who would even bother to attempt something like that could
> probably minimize that extra layer with some nice fast machines -- or
> perhaps, if they could compress the trojanized version smaller than the
> original archive (removing docs, etc), they could play with inserting
> extra junk data into the compressed archive.
>
> -Striker
>
> --
> The system requirements said "Windows 95 or better"
> So I installed Linux.
>
> Microsoft sells you Windows; Linux gives you the house.
>
> v1sw6CUhw5ln4pr5ck4ma6/7u8Lw3Tm5l6+8GOa21s6Mr2e5+7t5/6TNDVESLFRXMb3Hp0en6/7g9ASTHCNMP
> www.hackerkey.com
>
> Registered Linux User: 332618
> <http://striker.interhact.net/striker.asc>
> _______________________________________________
> Lunar mailing list
> Lunar at lunar-linux.org
> http://lunar-linux.org/mailman/listinfo/lunar
>
>




More information about the Lunar mailing list