Subject: Re: Verifying a kernel.
To: Jason Thorpe <thorpej@shagadelic.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-kern
Date: 07/20/2005 12:15:10
In message <8581520D-6EBA-44E7-B311-82EF3155D1D0@shagadelic.org>, Jason Thorpe
writes:
>
>On Jul 20, 2005, at 5:26 AM, Tonnerre wrote:
>
>> Don't allow MD5! Also, SHA1 is a candidate that shouldn't be
>> trusted just
>> like this. Why?
>>
>> - people might use it
>> - people might decide to use it for security relevant functions
>> - people are thereby prone to the typical MD5 bit flipping attacks
>> et al.
>>
>> I'm talking myself blue in the face on that: Don't use md5.
>
>We're not talking about a digital signature algorithm here. We're
>simply talking about a checksum that can be used to ensure that the
>bits on disk landed in memory correctly. There is no reason to
>disallow MD5 for this.
>
There's a subtle distinction here between a *safety* algorithm and a
*security* algorithm. The former deals with naturally-occuring
failures; the latter deals with enemy action. The two are not the
same. If I (and Jason) correctly understand Matt's question, we're
talking about a safety algorithm. MD5 is fine for that. CRC32 is
probably not, though -- the size of the kernel is such that the
probability of an undetected error is too high.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb