Securely downloading Ubuntu
Matt Zimmerman
mdz at ubuntu.com
Tue Jan 29 12:35:03 UTC 2008
On Tue, Jan 29, 2008 at 12:00:56PM +0000, Colin Watson wrote:
> Signing a message generally actually amounts to taking some hash of it
> and signing that; you don't run expensive algorithms like RSA over the
> whole message. Since the MD5 hashes are useful to expose anyway, I don't
> see any cryptographic benefit in making GPG do this computation again
> (aside from the possibility that it would use a different hash, but then
> we could usefully expose the result of that hash too).
>
> See e.g. http://en.wikipedia.org/wiki/Digital_signature for a short
> discussion of why signatures are in fact implemented by signing a hash
> rather than the whole message.
I suppose the main benefit would be in having a painless transition to newer
hash algorithms as GnuPG is updated. If we want to solve this once and for
all (and I think we do), then as Neal points out, we need to include support
for multiple hash algorithms, rather than merely switching from MD5 to
SHA-x. This means either generating multiple files in the existing format,
or requiring some other tool which can interpret the checksum file and
verify the images. GnuPG, as a widely available, standard tool which
handles this gracefully, seemed like a good choice.
> As Neal noted, MD5 hasn't yet had second-preimage attacks, so I am not
> concerned about practical attacks at this time. Publishing SHA256 hashes
> would be fairly reasonable; the only reason we have not yet done this is
> that the checksumming process is already the slowest part of the CD
> release process by some distance due to some inefficiencies in that
> process (i.e. the images are checksummed again rather than copying the
> existing checksums from the daily build), and I feel we should fix that
> first otherwise it makes release day even more painful.
It would be useful if we could do these in a single pass, but if we can't,
then I guess it makes sense to continue to sign the hashes instead. We'll
have to do this over again at some point, though.
--
- mdz
More information about the Ubuntu-devel-discuss
mailing list