MD5 or SHA256

Ideas to everything that could be useful. Proposals and tips for JonDonym programming.
Post Reply
cane

MD5 or SHA256

Post by cane » Sun Oct 19, 2014 0:58

just as a short tip: you could use sha256 check sums for your jondo live-dvd. tails already has sha256. md5 check sums are not really state of the art in my view.
If you want to be sure you got the iso image I created, please verify the OpenPGP signature! A short tutorial you may find in our online help: https://anonymous-proxy-servers.net/en/ ... turen.html

Hashes like MD5 or SHA256 or what ever are only for download verification. It is NOT a cryptografic verification you got the file created by the developer. If an attacker hacked the server he can modify the downloads AND the signature hashes published on the website like MD5 or SHA256 or what ever too.

State of the art are public key signatures created with a private key. Almost all security related projects (like TorBrowserBundle, JonDonym, TAILS and others) offer OpenPGP signatures created by the developers for verification.

I think, for simple download verification MD5 hashes are more than enough for this purpose. But I don't want a discussion. If you prefer SHA256 you will get it - no problem.

andy99
Posts: 49
Joined: Wed Aug 20, 2014 23:14

Re: MD5 or SHA256

Post by andy99 » Sun Oct 19, 2014 2:07

The man behind md5 said that this standard should not be state of the art anymore in 2012.

And Bruce Schneier said that is is not safe in 2005.

f09j300
Posts: 58
Joined: Sun Aug 31, 2014 22:22

Re: MD5 or SHA256

Post by f09j300 » Wed Dec 31, 2014 18:26

If an attacker hacked the server he can also change the signature file and the signing key. So what?

cane

Re: MD5 or SHA256

Post by cane » Thu Jan 01, 2015 0:57

An attacker can't change the signing key for all users, because many users downloaded the key a long time ago. The keys are part of the live-dvd.... and some other reasons.

No user can recognize a modification of a hash.

f09j300
Posts: 58
Joined: Sun Aug 31, 2014 22:22

Re: MD5 or SHA256

Post by f09j300 » Sun Jan 25, 2015 17:55

No one will check the Signature weeks after he started using the DVD. They check after download by taking the signature file and the signing key from the server. If changed by a hacker, they take both changed and won't notice.

Post Reply