Message: md5 hashes: request for rmd160 or sha256 Not Logged In (login)
 Next-in-Thread Next-in-Thread
 Next-in-Forum Next-in-Forum

Question md5 hashes: request for rmd160 or sha256 

Forum: Installation and Configuration
Date: 02 Jul, 2013
From: Mojca Miklavec <Mojca Miklavec>

Hi,

I'm trying to create a new Geant4 package for MacPorts (current package is for version 9.4 and is based on GNU make). I was using MD5 checksums from cmake/Modules/Geant4DatasetDefinitions.cmake, but other developers urged me to add rmd160 and sha256 checksums for security reasons.

Citing Ryan Schmidt:

md5 is an insecure algorithm and should no longer be used on its own as a means of verifying anything. If that's all upstream publishes, then you can use it in a portfile, in addition to a secure algorithm like rmd160 or sha256, but please ask upstream to switch to a secure checksum method for their published values. ... Certainly if a malicious hacker can replace the software tarball on the original site with an altered version, they can probably replace the checksums on the web page as well.

But I want to make sure you understand that because of flaws in the md5 algorithm that make it possible to create collisions, the following events can occur:

- developer releases new version of software, publishing its md5 checksum

- later, a hacker releases a different tarball containing malicious software but which has the same md5 checksum; perhaps they cannot post it to the original server, but maybe they can compromise a mirror.

- you write a portfile for the new version, fetching the file from a compromised mirror; you verify the md5 checksum with what upstream published and it matches; you generate new rmd160 and sha256 checksums of the compromised file and put them in the portfile

- the software you now install via the portfile is not the software the developer developed

The solution is for upstream to cease using md5 as their distfile integrity verification method and switch to an algorithm that does not have such vulnerabilities.

Inline Depth:
 1 1
 All All
Outline Depth:
 1 1
 2 2
 All All
Add message: (add)

1 None: Re: md5 hashes: request for rmd160 or sha256   (Ben Morgan - 02 Jul, 2013)
(_ Ok: Re: md5 hashes: request for rmd160 or sha256   (Mojca Miklavec - 02 Jul, 2013)
(_ Note: Re: md5 hashes: request for rmd160 or sha256   (Ben Morgan - 04 Jul, 2013)
(_ Ok: Re: md5 hashes: request for rmd160 or sha256   (Mojca Miklavec - 04 Jul, 2013)
 Add Message Add Message
to: "md5 hashes: request for rmd160 or sha256"

 Subscribe Subscribe

This site runs SLAC HyperNews version 1.11-slac-98, derived from the original HyperNews


[ Geant 4 Home | Geant 4 HyperNews | Search | Request New Forum | Feedback ]