Re: feature request for coreutils: b2sum

[Pádraig Brady]

On 09/10/16 05:59, Zooko Wilcox-OHearn wrote:
> Hello, folks!
> 
> It's been about a year since the last update in this thread. I was
> reminded of it because I saw a well-intentioned project using "md5sum"
> to let its users identify a specific distribution of its software. Of
> course, md5sum is not secure for that!
> 
> Since md5sum is vulnerable to "collision attacks", it can't be used to
> safely identify one specific file. Instead, what it can do is identify
> that "this file is one of the files that the creator of this file used
> when they created this hash". That's different. For example, if the
> computer on which the software were packaged was backdoored, it could
> potentially generate multiple tarballs, with the same md5sum, but one
> of the tarballs containing backdoors and other being clean. Then
> whenever someone wanted to inspect the tarballs for backdoors, the
> attacker could provide the clean one for inspection, and whenever a
> user wanted to download the software, the attacker could provide the
> backdoored one.
> 
> Almost all users don't understand that md5sum can't protect them
> against this, so in this scenario they would check the md5sum, it
> would match, and they would proceed to use the backdoored software.
> 
> If people instead used a strong secure hash function like sha256sum or
> b2sum, then this hypothetical attacker would not be able to generate
> multiple packages matching the same hash. The attacker would have to
> decide whether to distribute the backdoored package, both to the
> inspectors and to the users, or to distribute the clean software, both
> to the inspectors and to the users. If they distributed different
> packages to different people, then someone would be receiving a
> package which did not match the hash.
> 
> A lot of people fail to understand this subtle difference, but it is
> really important. A collision-vulnerable hash like md5sum doesn't make
> a hash that matches _only one specific file_. Instead it makes a hash
> that matches _a set of files chosen by the creator of the hash_. A
> collision-resistant hash like sha256sum or b2sum makes a hash that
> matches _only one specific file_.
> 
> Okay, so that's why I care about this and why we all agreed in
> principle more than a year ago that replacing md5sum with something
> better was consistent with the GNU project's mission of helping
> protect users from being harmed through their networked software.
> 
> Now I'm coming back to this thread because openssl-1.1.0 is now the
> stable release of openssl, and it comes with BLAKE2b!
> 
> Now it should be a very simple patch to add BLAKE2b to:
> 
> http://git.savannah.gnu.org/cgit/coreutils.git/tree/src/md5sum.c
> 
> Unlike the slightly more involved patch that we were talking about
> earlier, of copying BLAKE2b implementation into coreutils tree.

Well we might copy also so that we're not totally dependent on openssl.
But great work getting it available there.
I'll look at adding b2sum hopefully for the upcoming release.

thanks,
Pádraig.