[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: SHA-1 vs. SHA-256 checksums (was: Different SHA1 Checksum using Microsoft file checksum integrit
From: Daniel Kahn Gillmor <dkg () fifthhorseman ! net>
Date: 2016-01-24 19:30:07
Message-ID: 87r3h67p34.fsf () alice ! fifthhorseman ! net
[Download RAW message or body]
On Sun 2016-01-24 13:55:38 -0500, Werner Koch wrote:
> If you talk to people on how they verify SSH fingerprints (that is even
> MD5 for most installations)
SSH key fingerprints are a different thing than software distribution
checksums because the material digested in ssh originates entirely from
one party, whereas the software distribution checksums can potentially
be influenced by multiple parties.
> you will so often hear: "Oh, I look at the first and a few of the
> last digits only".
right, this is not a cryptographically-strong verification :)
> We can assume that this won't be different for SHA-1 checksums - does
> anyone believe that by switching to SHA-256 they would check many more
> digits?
if they don't check more digits, then we can't help them. but it'd be
nice to offer a way for people to do a cryptographically-strong check if
they decide to do so.
but in general, i agree with you that published checksums are stopgap
measures at best, mainly fit for detecting corrupted downloads, and not
particularly useful against a targeted attack.
>> Also, the OpenPGP signature published at
>> https://files.gpg4win.org/gpg4win-2.3.0.exe.sig itself uses SHA1
>> internally. This is also a bad idea. signatures published today should
>
> Yes, that should be fixed because it is easy and not subject to the UX
> problems described above. FWIW, for GnuPG proper we switched to
> SHA-256 in 2012 (gnupg 1.4.12).
[...]
> [1] Right, the GnuPG speedo build script with its signed and published
> list of package versions also uses SHA-1 and that should be fixed
> before 2.2. (filed as bug@2226)
great, thanks!
--dkg
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic