Re: [Full-disclosure] Signature or checksum? (was: MD5 considered harmful)
- From: coderman <coderman@xxxxxxxxx>
- Date: Sat, 1 Dec 2007 21:59:30 -0800
On Dec 1, 2007 7:08 PM, <Valdis.Kletnieks@xxxxxx> wrote:
(Note that strictly speaking, what you *really* want is a PGP-signed or
otherwise authenticated MD5/SHA-256 hash. Otherwise, if I'm an attacker,
I can just splat a new binary up, and a new MD5SUMS file that lists the
MD5 sum for the backdoored binaries. If anything, more people manage to
screw *this* part up than the much lesser offense of still using MD5 rather
than something from the SHA-2 family)....
this has come up recently in situations like the hushmail trojan'd applets
and so forth. consider a court order that compels you to sign a given
backdoor'd product in use by a targeted individual.
in this case, the use of signatures provides less security than comparing
public checksums. (because you'd notice that your particular download
has a different sum, while comparing signatures you'd assume it was
ideally everyone would compare both a signature (a trusted source
provided it) as well as a public checksum (let's assume you can do so
out of band securely using archives or other channel not actively
controlled by an attacker).
i know that signatures include a checksum, but this is hidden by the
verification process. the human really needs to be in the loop for both.
p.s. for the tin foil hat crowd, those digital sigs are looking
weaker every year compared to cryptographic hash functions and block
not to mention GNFS improvements the last few years...
(ok, i admit, i love an excuse to reference Mr. T)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] High Value Target Selection
- Next by Date: Re: [Full-disclosure] authentic hackers still do it for the love ... (was: Hell Camp: It never pays enough)
- Previous by thread: [Full-disclosure] Hell Camp: A Terrifying Story of Lies and Middle-Men
- Next by thread: Re: [Full-disclosure] authentic hackers still do it for the love ... (was: Hell Camp: It never pays enough)