Re: [Full-disclosure] Signature or checksum? (was: MD5 considered harmful)



On Dec 1, 2007 7:08 PM, <Valdis.Kletnieks@xxxxxx> wrote:
...
(Note that strictly speaking, what you *really* want is a PGP-signed or
otherwise authenticated MD5/SHA-256 hash. Otherwise, if I'm an attacker,
I can just splat a new binary up, and a new MD5SUMS file that lists the
MD5 sum for the backdoored binaries. If anything, more people manage to
screw *this* part up than the much lesser offense of still using MD5 rather
than something from the SHA-2 family)....

this has come up recently in situations like the hushmail trojan'd applets
and so forth. consider a court order that compels you to sign a given
backdoor'd product in use by a targeted individual.

in this case, the use of signatures provides less security than comparing
public checksums. (because you'd notice that your particular download
has a different sum, while comparing signatures you'd assume it was
legitimate.)

ideally everyone would compare both a signature (a trusted source
provided it) as well as a public checksum (let's assume you can do so
out of band securely using archives or other channel not actively
controlled by an attacker).

i know that signatures include a checksum, but this is hidden by the
verification process. the human really needs to be in the loop for both.

best regards,

p.s. for the tin foil hat crowd, those digital sigs are looking
weaker every year compared to cryptographic hash functions and block
ciphers:

http://dwave.wordpress.com/2007/11/26/slides-from-sc07-progress-in-quantum-computing-panel/

not to mention GNFS improvements the last few years...

(ok, i admit, i love an excuse to reference Mr. T)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: rsa implementation question
    ... > public key ciphers work in Z. ... and now part of the federal standard for digital signatures, ... Actually, I was the one who wrote "Always hash and pad, for any ... randomness is a good thing. ...
    (comp.lang.python)
  • Re: IPS comparison
    ... does it follow a protocol analysis or signatures throw & catch. ... shelf network processors, even claimed latency at between 1ms and 215 ?s is ... TopLayer series handle around 30,000 connection with a latency of 0.04 ms ... I have been tasked with comparing IPS appliances. ...
    (Pen-Test)
  • Re: Public key encryption
    ... > messages as to break the hash algorithm. ... it amounts to equivalence to the RSA problem. ... anything that can forge PSS signatures can do arbitrary RSA ... > message is small compared to the encryption exponent but still a hash ...
    (sci.crypt)
  • Re: hash() yields different results for different platforms
    ... considering to add a "hash" column in the table, make it a unique key, ... I believe this will be faster than making the "url" column unique key ... and hashing a string are both O. ... result in a big savings compared to comparing regular strings; ...
    (comp.lang.python)
  • Re: Suggestions for double-hashing scheme
    ... > by computing of the hash function). ... Comparing can be relatively expensive, ... tables sizes (for example, I ran all sizes between 740 elements and ...
    (comp.programming)