Christian Weisgerber <[email protected]> wrote: > It's time to drop MD5 from the distinfo checksums. MD5 cannot > guarantee the integrity of a distfile. It is broken, people are > finding collisions and have used this for practical attacks. > > Espie has previously suggested that having several different hash > functions might improve overall security. In this paper, > http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf > Antoine Joux argues otherwise. The concatenation of two iterated > hash functions is not stronger than its strongest component.
There has been some further disjointed discussion on this that I would like to put into a common forum here. Matthew Dempsky has suggested to drop the RIPEMD-160 and SHA-1 hashes as well. And: Matthew Dempsky <[email protected]>: | On Sun, Jul 8, 2012 at 2:09 AM, Stuart Henderson <[email protected]> wrote: | > I do think it's useful to have two hashes from different families though, | > I've just been looking at the bsd.port.mk code that runs checksums, thinking | > of making it check *all* of PREFERRED_CIPHERS rather than just the first | > matching one. For that, iirc SHA-1 is a different family to SHA-256 so | > I think using those two together would be ok. | | Yeah, my understanding is SHA-1 and SHA-256 are different families | too, so if we really want two separate families of hashes I think | that's okay. I'm just not sure that really buys much. NIST has | already been discouraging SHA-1's use since 2005 | (http://csrc.nist.gov/groups/ST/hash/statement.html; "Federal agencies | must stop relying on digital signatures that are generated using SHA-1 | by the end of 2010"). I think SHA-256 would have to be pretty | catastrophically broken for its security to drop below SHA-1 in | security, and any attack that breaks SHA-256 overnight would probably | significantly affect SHA-1 too. FWIW, I agree with Matthew. -- Christian "naddy" Weisgerber [email protected]
