SHA-1 vs. SHA-256 checksums (was: Different SHA1 Checksum using Microsoft file checksum integrity verifier)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Jan 24 20:30:07 CET 2016
On Sun 2016-01-24 13:55:38 -0500, Werner Koch wrote:
> If you talk to people on how they verify SSH fingerprints (that is even
> MD5 for most installations)
SSH key fingerprints are a different thing than software distribution
checksums because the material digested in ssh originates entirely from
one party, whereas the software distribution checksums can potentially
be influenced by multiple parties.
> you will so often hear: “Oh, I look at the first and a few of the
> last digits only”.
right, this is not a cryptographically-strong verification :)
> We can assume that this won't be different for SHA-1 checksums - does
> anyone believe that by switching to SHA-256 they would check many more
if they don't check more digits, then we can't help them. but it'd be
nice to offer a way for people to do a cryptographically-strong check if
they decide to do so.
but in general, i agree with you that published checksums are stopgap
measures at best, mainly fit for detecting corrupted downloads, and not
particularly useful against a targeted attack.
>> Also, the OpenPGP signature published at
>> https://files.gpg4win.org/gpg4win-2.3.0.exe.sig itself uses SHA1
>> internally. This is also a bad idea. signatures published today should
> Yes, that should be fixed because it is easy and not subject to the UX
> problems described above. FWIW, for GnuPG proper we switched to
> SHA-256 in 2012 (gnupg 1.4.12).
>  Right, the GnuPG speedo build script with its signed and published
> list of package versions also uses SHA-1 and that should be fixed
> before 2.2. (filed as bug at 2226)
More information about the Gnupg-users