Securely downloading Ubuntu

[Colin Watson]

On Tue, Jan 29, 2008 at 09:57:55AM +0000, Matt Zimmerman wrote:
> There are two reasons for checking the hashes:
> 
> Authentication - the downloaded image is in fact the official one provided
> by the Ubuntu project, unaltered
> 
> Integrity - the downloaded image hasn't been randomly corrupted in transit
> 
> (it happens that verifying authenticity ensures integrity as a side effect)
> 
> Authentication, I believe, would be better served by signing the image
> directly.  This both avoids an attack on the intervening checksums in
> MD5SUMS and provides a cryptographically stronger check.  I believe the .gpg
> format already supports multiple signatures with different algorithms, so
> this would be reasonably future-proof.

Signing a message generally actually amounts to taking some hash of it
and signing that; you don't run expensive algorithms like RSA over the
whole message. Since the MD5 hashes are useful to expose anyway, I don't
see any cryptographic benefit in making GPG do this computation again
(aside from the possibility that it would use a different hash, but then
we could usefully expose the result of that hash too).

See e.g. http://en.wikipedia.org/wiki/Digital_signature for a short
discussion of why signatures are in fact implemented by signing a hash
rather than the whole message.

As Neal noted, MD5 hasn't yet had second-preimage attacks, so I am not
concerned about practical attacks at this time. Publishing SHA256 hashes
would be fairly reasonable; the only reason we have not yet done this is
that the checksumming process is already the slowest part of the CD
release process by some distance due to some inefficiencies in that
process (i.e. the images are checksummed again rather than copying the
existing checksums from the daily build), and I feel we should fix that
first otherwise it makes release day even more painful.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]