DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

SHA-1 is Dead

Wed Mar 01, 2017 2:10 am

Raspbian OS is authenticated using SHA-1
Google has shown it is possible to collide SHA-1: https://security.googleblog.com/2017/02 ... ision.html
Plus, because only the ZIP file is SHA-1 hashed, and not its contents, this makes it even easier for someone to produce a 'fake' Raspbian Image ZIP file that contains anything but the true Raspbian OS (malware, spyware, trojans, viri, etc.)
You might consider using a newer/stronger hashing algorithm and hashing both the zip file and the img file considering the number of IoT devices based on the Pi, as well as educational, industrial, and corporate installations of these boards.

User avatar
rpdom
Posts: 15938
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: SHA-1 is Dead

Wed Mar 01, 2017 8:51 am

SHA-1 is not dead. It still has a place. What Google has shown is that it is possible under extremely manipulated circumstances to create a PDF that has the same SHA-1 sum as another PDF file.

The purpose of the SHA-1 in the Raspbian download is to detect that the file downloaded correctly, not that it isn't a hacked version.

Even then, it would take a lot of work for someone to create a download that came up with the same SHA-1 sum and somehow get it on to the Raspberry Pi download pages.

Read Linus Torvalds comments on git and SHA-1 here https://plus.google.com/+LinusTorvalds/ ... tp2gYWQugL

User avatar
DougieLawson
Posts: 36910
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SHA-1 is Dead

Wed Mar 01, 2017 8:53 am

Even if it's possible, it's unlikely to change before Debian Buster (the one after Debian Stretch) in a couple of years time.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Return to “Raspbian”