LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Far better to use public-key signatures

Far better to use public-key signatures

Posted Dec 20, 2007 5:39 UTC (Thu) by khim (subscriber, #9252)
Parent article: The backdooring of SquirrelMail

I can only say "huh?". It's certainly true that public-key signatures are impossible to replace if you don't have access to private key. It's very much not true that they have a longer shelf life! If you'll try to sign multi megabyte archive by using RSA or DSS directly process will take minutes if not hours and the check will be just as slow - thus ALL public-key cryptography depends on "normal" hashes (usually SHA1 today) in practice! Of course if MD5 or SHA1 is broken public-key signing scheme based on MD5 or SHA1 is broken as well...

(Log in to post comments)

Far better to use public-key signatures

Posted Dec 20, 2007 7:45 UTC (Thu) by anselm (subscriber, #2796) [Link]

One short-term way of alleviating this problem could be by publishing (and signing) both an MD5 and an SHA-1 checksum of the archive(s) in question. Even if an ambitious attacker managed to find a way to compromise an archive such that its MD5 or SHA-1 checksum stayed the same while the modified code still made sense, finding such a compromise that kept both hashes identical would be that much more difficult. (For extra credit, use two hash functions that are not as closely related as MD5 and SHA-1, or add a third one.)

Far better to use public-key signatures

Posted Dec 20, 2007 18:03 UTC (Thu) by hmh (subscriber, #3838) [Link] 

And, also add the size of the files.  Might as well make things even a little more difficult
to the attacker by reducing even more the set of possible streams he can use...

Far better to use public-key signatures

Posted Dec 20, 2007 19:19 UTC (Thu) by rise (guest, #5045) [Link] 

Sadly it's been shown that using both hashes doesn't increase the work factor by very much.

Far better to use public-key signatures

Posted Dec 20, 2007 19:30 UTC (Thu) by smoogen (subscriber, #97) [Link] 

One has to take into effect that when most times people say that it doesn't increase the work
load they are talking about order of magnitude things... and that it doesn't increase the
factor if certain factors are true. Finding a match between SHA1 and 'pull out unrelated of my
butt' Hash might only extend the time to see it by months or years versus decades... and is
not non-trivial.. may only be 'trivial' to the mathmetician who was testing it against a
theoretical 10^20 years to find a match.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds