Re: Signature or checksum? (was: MD5 considered harmful)

[coderman <coderman () gmail com>]

On Dec 1, 2007 7:08 PM,  <Valdis.Kletnieks () vt edu> wrote:
> ...
> (Note that strictly speaking, what you *really* want is a PGP-signed or
> otherwise authenticated MD5/SHA-256 hash.  Otherwise, if I'm an attacker,
> I can just splat a new binary up, and a new MD5SUMS file that lists the
> MD5 sum for the backdoored binaries.  If anything, more people manage to
> screw *this* part up than the much lesser offense of still using MD5 rather
> than something from the SHA-2 family)....

this has come up recently in situations like the hushmail trojan'd applets
and so forth.  consider a court order that compels you to sign a given
backdoor'd product in use by a targeted individual.

in this case, the use of signatures provides less security than comparing
public checksums.  (because you'd notice that your particular download
has a different sum, while comparing signatures you'd assume it was
legitimate.)

ideally everyone would compare both a signature (a trusted source
provided it) as well as a public checksum (let's assume you can do so
out of band securely using archives or other channel not actively
controlled by an attacker).

i know that signatures include a checksum, but this is hidden by the
verification process.  the human really needs to be in the loop for both.

best regards,

p.s.  for the tin foil hat crowd, those digital sigs are looking
weaker every year compared to cryptographic hash functions and block
ciphers:

http://dwave.wordpress.com/2007/11/26/slides-from-sc07-progress-in-quantum-computing-panel/

not to mention GNFS improvements the last few years...

(ok, i admit, i love an excuse to reference Mr. T)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/