Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-20 Thread Daniel Kahn Gillmor 
On Fri 2016-03-18 03:21:30 -0400, Werner Koch wrote:
> Most people are actually not able to check even the SHA-1 checksums
> because they are missing a tool to do so (e.g. Windows) and have not the
> knowledge to install or compile and audit a shaXsum tool.

On any modern Windows installation (since Vista at least, i think) there
is "certutil.exe"

  https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_hashfile

the syntax is:
 
  certutil -hashfile FileToHash.ext sha256

Looks like there's an older version available even for Windows XP (not
that i recommend anyone use that) via something called "Windows Server
2003 Administration Pack":

 https://support.microsoft.com/en-us/kb/934576?spid=12925=1569
 (appears to require javascript, sorry)

> Further, in my experience many users do not check the entire SHA-1 sum
> but just a few of the first and last digits.  With the longer and
> harder to read SHA-256 checksums this will only get worse (“oh yes,
> the checksum is longer and thus safer and thus I need to compare less
> digits” :-().

Right, but surely you wouldn't advocate only displaying the first and
last few digits of the SHA1 digest just because most people aren't going
to look at anytihng else.  Right?

At any rate, checking the first and last X digits of SHA-256 is probably
better than checking the first and last X digits of SHA-1, for any value
of X.  SHA-1 has worse cryptographic properties than SHA-256 (and about
a decade more of intense analysis that reveals flaws).  Likewise, i'm
glad that we at least offer SHA-1, even though it's longer and harder to
read than MD5, which itself is longer and harder to read than CRC32 :P

We cannot force anyone to compare anything, but we can choose whether we
give them the information that is capable of strong comparison. (while
understanding that it's not meaningful in the face of webserver
compromise)

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Doug Barton 

On 03/17/2016 01:00 PM, Kristian Fiskerstrand wrote:

so if the server was to be compromised in some way ...


... the checksum (that you are downloading from the same server) becomes 
useless.


Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Fabian Santiago 

> 
> What is your threat model?  FWIW, pre-image attacks on SHA-1 are not
> even on the horizon.
> 

Pre-image attack?

- Fabian s



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/17/2016 08:44 PM, Daniel Kahn Gillmor wrote:

> FWIW, the threat model of digest algorithms being published on an 
> HTTPS website that then links to the file to be downloaded is much 
> easier to work around than by compromising SHA-1's preimage 
> resistance (or even collision resistance for that matter).
> 
> However, it makes more sense to me to just move everything to 
> sha-256 today.  Anyone who actually checks the digests should be 
> capable of using sha256 today, and it would avoid this sort of 
> question coming up in the future.

An argument could be made to remove the checksum altogether and focus
only on proper verification of the OpenPGP signature. Of course the
issue will persist in order to get a good basis for certificate
verification, so if the server was to be compromised in some way and
the user don't have a path; and this is first download so the TOFU
scenario fails .. and they aren't doing some probabilistic
consideration based on other public sources as well the end result
will be the same as having provided the checksum, but...

- -- 
- 
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Aquila non capit muscas
The eagle does not hunt flies
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJW6wzdAAoJECULev7WN52FTAsH/i8blyldxK3hCRt8xHUYxeaA
kBX+8pM7BJz4yQKxGeIZTR6fi4sU9xynZYEoDTxlebcYXo5V/lPzYIzhHIIF5UhN
AUf0QP4gVk++C1zvv01NhiRxatzD20r2RvBtOXXs/PO6O2ZZ+TavuhnHzASZVTz+
F0+lInnJbUdGdwkXYL5YGLhljchtpR0iq90RPcSlML9cka3h2m0pJKAMV5l16dnS
+ysVp9P+S4GafB7ai6bzWkduD7w4GrizuARMWSfqbybiWCmO97APNt1rqVaqb7uf
XMQV3/1v0CSfORx3//M9jq5EVRtq22Utrdjz+xROrn/hWuhAgIUWwz1shuB2ixE=
=V7G6
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Friday 18 March 2016 at 2:45:28 PM, in
, Daniel Kahn Gillmor
wrote:


> On any modern Windows installation (since Vista at
> least, i think) there

> is "certutil.exe"

> https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_hashfile

> the syntax is:

>   certutil -hashfile FileToHash.ext sha256



In Windows 10 (and possibly earlier) there is also the "Get-FileHash" cmdlet

This works in Powershell, not in an ordinary Command window. The
syntax is:-

   Get-FileHash FileToHash.ext -Algorithm sha1





- --
Best regards

MFPA  

Wait. You think I'm right?
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJW7UoiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbFwH/RyFtbT6PBRvTvvabiV+oN5y
lBs776OIAN4UJAPVx20oo3kT/EMRJO3iLJLBEYDgI2qkRHBv1wjr1YS2BWIK+m0P
9fUYn+7j68g/0hmloQx9RRXadlrHo9ZYIDDU8Bednim1XXhy9v4eTidPQkCZmLBC
oGfO/lG4zOisq/e1pwZQXMvhVsZoqTXhJU5uLxpZT+Z/ZRMqQrCNKQAX0F8KMege
t/N+fBWhKB+NHsbZkWMuEsqoTK3tDTgms1i9vmXNO+5T077vsZigUCwjTI1PtGEc
c6QB/iEXPtXkBshUQZxJfx5q7H/XgEm0JPwfgCSZcPoNG47g/VJs0w7IHeY2kDKI
vgQBFgoAZgUCVu1KMl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45A2JAQCkfw25IBuMCT6f5DprD5hVHmkO
AS2QNPPTNDdeTrg3yAD/ekCBGDQXN/+lWUk7FsOakpa5Ma3hO41zGsyGk8wSHw4=
=trKU
-END PGP SIGNATURE-


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Werner Koch 
On Thu, 17 Mar 2016 19:01, youcanli...@gmail.com said:
> Any idea when you'll replace the SHA-1 checksums at the following page?

What is your threat model?  FWIW, pre-image attacks on SHA-1 are not
even on the horizon.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Daniel Kahn Gillmor 
On Thu 2016-03-17 15:34:08 -0400, Fabian Santiago wrote:
>> 
>> What is your threat model?  FWIW, pre-image attacks on SHA-1 are not
>> even on the horizon.
>> 
>
> Pre-image attack?

https://en.wikipedia.org/wiki/Preimage_attack

FWIW, the threat model of digest algorithms being published on an HTTPS
website that then links to the file to be downloaded is much easier to
work around than by compromising SHA-1's preimage resistance (or even
collision resistance for that matter).

However, it makes more sense to me to just move everything to sha-256
today.  Anyone who actually checks the digests should be capable of
using sha256 today, and it would avoid this sort of question coming up
in the future.

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Werner Koch 
On Fri, 18 Mar 2016 08:21, w...@gnupg.org said:

> I'll look at how we can improve the description on the web page.

Actually the current text does not look too bad:

   If you are not able to use an old version of GnuPG, you can still
   verify the file's SHA-1 checksum.  This is less secure, because if
   someone modified the files as they were transferred to you, it
   would not be much more effort to modify the checksums that you see
   on this webpage.  As such, if you use this method, you should
   compare the checksums with those in release announcement.  This is
   sent to the gnupg-announce mailing list (among others), which is
   widely mirrored.  Don't use the mailing list archive on this
   website, but find the announcement on several other websites and
   make sure the checksum is consistent.  This makes it more difficult
   for an attacker to trick you into installing a modified version of
   the software.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Werner Koch 
On Fri, 18 Mar 2016 15:45, d...@fifthhorseman.net said:

> On any modern Windows installation (since Vista at least, i think) there
> is "certutil.exe"

I know but I have also seen on the gpg4win mailing list that people have
problems using it or any other tool.

Also worse than checksums or real signatures, I meanwhile think that an
Authenticode signature would overall improve the situation.

> Right, but surely you wouldn't advocate only displaying the first and
> last few digits of the SHA1 digest just because most people aren't going
> to look at anytihng else.  Right?

Ack.

> glad that we at least offer SHA-1, even though it's longer and harder to
> read than MD5, which itself is longer and harder to read than CRC32 :P

Well, MD5 is out of every discussion - despite that not too old OpenSSH
versions still use it for fingerprints by default.  But then again, who
really check the fingerprints ;-)



Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Werner Koch 
On Thu, 17 Mar 2016 20:44, d...@fifthhorseman.net said:

> FWIW, the threat model of digest algorithms being published on an HTTPS
> website that then links to the file to be downloaded is much easier to
> work around than by compromising SHA-1's preimage resistance (or even

I fully agree and I view cecksums only as the last resort to verify
something downloaded.  However sometimes it is required - there are some
OS which do not have gpg installed (OpenBSD, Windows) and there need to
be a way to bootstrap the installation.

Of course the checksums on the web page are not sufficient and they do
only work because we also announce them by mail and also by means of a
signed file (gnupg.org/swdb.lst{,.sig).  Any non-targeted tampering of
the checksum will likely be reported soon.  In fact we had such reports
in the past due to a c+p bug by me.

I'll look at how we can improve the description on the web page.

> However, it makes more sense to me to just move everything to sha-256
> today.  Anyone who actually checks the digests should be capable of
> using sha256 today, and it would avoid this sort of question coming up

Most people are actually not able to check even the SHA-1 checksums
because they are missing a tool to do so (e.g. Windows) and have not the
knowledge to install or compile and audit a shaXsum tool.  Further, in
my experience many users do not check the entire SHA-1 sum but just a
few of the first and last digits.  With the longer and harder to read
SHA-256 checksums this will only get worse (“oh yes, the checksum is
longer and thus safer and thus I need to compare less digits” :-().


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

2016-03-19 Thread Brian Minton 
Windows has certutil built-in.

On Fri, Mar 18, 2016, 3:27 AM Werner Koch  wrote:

> On Thu, 17 Mar 2016 20:44, d...@fifthhorseman.net said:
>
> > FWIW, the threat model of digest algorithms being published on an HTTPS
> > website that then links to the file to be downloaded is much easier to
> > work around than by compromising SHA-1's preimage resistance (or even
>
> I fully agree and I view cecksums only as the last resort to verify
> something downloaded.  However sometimes it is required - there are some
> OS which do not have gpg installed (OpenBSD, Windows) and there need to
> be a way to bootstrap the installation.
>
> Of course the checksums on the web page are not sufficient and they do
> only work because we also announce them by mail and also by means of a
> signed file (gnupg.org/swdb.lst{,.sig ).
> Any non-targeted tampering of
> the checksum will likely be reported soon.  In fact we had such reports
> in the past due to a c+p bug by me.
>
> I'll look at how we can improve the description on the web page.
>
> > However, it makes more sense to me to just move everything to sha-256
> > today.  Anyone who actually checks the digests should be capable of
> > using sha256 today, and it would avoid this sort of question coming up
>
> Most people are actually not able to check even the SHA-1 checksums
> because they are missing a tool to do so (e.g. Windows) and have not the
> knowledge to install or compile and audit a shaXsum tool.  Further, in
> my experience many users do not check the entire SHA-1 sum but just a
> few of the first and last digits.  With the longer and harder to read
> SHA-256 checksums this will only get worse (“oh yes, the checksum is
> longer and thus safer and thus I need to compare less digits” :-().
>
>
> Shalom-Salam,
>
>Werner
>
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users