RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

["Frank Bulk" <frnkblk () iname com>]

For me the MD5 hashes on file downloads are more valuable to ensure the
package is accurate to a byte rather than to verify its authenticity or
integrity.

Wouldn't listing both SHA-1 and MD5 hashes for a file download assure almost
complete confidence that the file is the original one?  I don't think anyone
has been able to create a duplicate file that generates the same SHA-1 *and*
MD5 hashes as the original file.

Frank

-----Original Message-----
From: Florian Weimer [mailto:fw () deneb enyo de] 
Sent: Saturday, January 03, 2009 10:23 AM
To: Skywing
Cc: NANOG
Subject: Re: Security team successfully cracks SSL using 200 PS3's and MD5
flaw.

> Then again, I just got yet another Debian DSA mail which has
> plaintext download links for new binaries.  The integrity
> verification mechanism for said binaries is, you guessed it:
> PGP-signed md5sums.

I can assure you that you will continue to receive these messages for
a while (unless you unsubscribe from the relevant mailing lists).

Our rationale is that in order to carry out currently known attacks on
MD5, you need to create a twin of documents, one evil and one
harmless.  In Debian's case, we prepare the data we sign on our
trusted infrastructure.  If someone can sneak in an evil twin due to a
breach, more direct means of attack are available.

In practice, the download links themselves are the larger problem
because users might use them without checking anything.  Eventually,
they will go away, together with the MD5 hashes.  Newer versions of
APT also use the SHA-256 checksums embedded in the Release and
Packages files.