Securely downloading Ubuntu
Matt Zimmerman
mdz at ubuntu.com
Tue Jan 29 09:57:55 GMT 2008
On Mon, Jan 28, 2008 at 10:39:03AM -0700, Neal McBurnett wrote:
> On Mon, Jan 28, 2008 at 05:20:52PM +0000, Matt Zimmerman wrote:
> > On Mon, Jan 28, 2008 at 09:28:48AM -0700, Neal McBurnett wrote:
> > > > (I'm all in favor of moving to SHA256 or whatever is considered best
> > > > practice these days. I've just not heard that MD5 is really as broken as
> > > > I think Chris suggests here.)
> > >
> > > One easy thing to do is to also publish sha256 sums of the CD
> > > images, so if MD5 preimage attacks are developed, that would help.
> > >
> > > I think we should do that now, and consider a hash function in a
> > > different class also (whirlpool?).
> > >
> > > Shipping more hash functions in the base install would help a lot in a
> > > crisis, so users have what they need to validate software updates.
> > > I guess coreutils has the md5 and sha families well covered, but
> > > again, something different like whirlpool could help a lot some day.
> >
> > Perhaps we should publish detached signatures for each ISO rather than
> > signing MD5SUMS?
>
> From what I've heard, the main principle for dealing with hash issues
> is "algorithm agility" - i.e. making it easy for folks to use multiple
> algorithms.
>
> Publishing detached signatures is a way to make the user interface
> easier (perhaps) for folks that want to validate the gpg signature.
> But I would think many (especially those without a good way to trust
> the gpg key, as noted previously) would want to just be able to
> validate hashes.
>
> I would still argue for the use of multiple hash algorithms, and I
> guess for gpg that means multiple detached signatures, one per hash
> algorithm. And some are not supported by all versions of gpg....
>
> I'd suggest we publish a "CHECKSUMS" file with a good assortment of
> hashes in text format, and also sign that.
There are two reasons for checking the hashes:
Authentication - the downloaded image is in fact the official one provided
by the Ubuntu project, unaltered
Integrity - the downloaded image hasn't been randomly corrupted in transit
(it happens that verifying authenticity ensures integrity as a side effect)
Authentication, I believe, would be better served by signing the image
directly. This both avoids an attack on the intervening checksums in
MD5SUMS and provides a cryptographically stronger check. I believe the .gpg
format already supports multiple signatures with different algorithms, so
this would be reasonably future-proof.
Integrity is served well enough by the existing MD5 hashes, which are still
extremely robust against unintentional corruption.
The above is based on only a very basic understanding of cryptography,
however, so corrections are welcome from folks with more experience in this
area.
--
- mdz
More information about the ubuntu-devel
mailing list