On Sun, Jul 08, 2012 at 09:36:33PM +0000, Christian Weisgerber wrote: > Christian Weisgerber <na...@mips.inka.de> wrote: > > > It's time to drop MD5 from the distinfo checksums. MD5 cannot > > guarantee the integrity of a distfile. It is broken, people are > > finding collisions and have used this for practical attacks. > > > > Espie has previously suggested that having several different hash > > functions might improve overall security. In this paper, > > http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf > > Antoine Joux argues otherwise. The concatenation of two iterated > > hash functions is not stronger than its strongest component. > > There has been some further disjointed discussion on this that I > would like to put into a common forum here. Matthew Dempsky has > suggested to drop the RIPEMD-160 and SHA-1 hashes as well. And: > > Matthew Dempsky <matt...@dempsky.org>: > > | On Sun, Jul 8, 2012 at 2:09 AM, Stuart Henderson <st...@openbsd.org> wrote: > | > I do think it's useful to have two hashes from different families though, > | > I've just been looking at the bsd.port.mk code that runs checksums, > thinking > | > of making it check *all* of PREFERRED_CIPHERS rather than just the first > | > matching one. For that, iirc SHA-1 is a different family to SHA-256 so > | > I think using those two together would be ok. > | > | Yeah, my understanding is SHA-1 and SHA-256 are different families > | too, so if we really want two separate families of hashes I think > | that's okay. I'm just not sure that really buys much. NIST has > | already been discouraging SHA-1's use since 2005 > | (http://csrc.nist.gov/groups/ST/hash/statement.html; "Federal agencies > | must stop relying on digital signatures that are generated using SHA-1 > | by the end of 2010"). I think SHA-256 would have to be pretty > | catastrophically broken for its security to drop below SHA-1 in > | security, and any attack that breaks SHA-256 overnight would probably > | significantly affect SHA-1 too. > > FWIW, I agree with Matthew.
Oh well, but we keep the framework that can generate multiple hashes if need be...
