DaHai8
Posts: 55
Joined: Fri Jul 31, 2015 9:21 am

SHA-1 is Dead

Wed Mar 01, 2017 2:10 am

Raspbian OS is authenticated using SHA-1
Google has shown it is possible to collide SHA-1: https://security.googleblog.com/2017/02 ... ision.html
Plus, because only the ZIP file is SHA-1 hashed, and not its contents, this makes it even easier for someone to produce a 'fake' Raspbian Image ZIP file that contains anything but the true Raspbian OS (malware, spyware, trojans, viri, etc.)
You might consider using a newer/stronger hashing algorithm and hashing both the zip file and the img file considering the number of IoT devices based on the Pi, as well as educational, industrial, and corporate installations of these boards.

User avatar
rpdom
Posts: 17188
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: SHA-1 is Dead

Wed Mar 01, 2017 8:51 am

SHA-1 is not dead. It still has a place. What Google has shown is that it is possible under extremely manipulated circumstances to create a PDF that has the same SHA-1 sum as another PDF file.

The purpose of the SHA-1 in the Raspbian download is to detect that the file downloaded correctly, not that it isn't a hacked version.

Even then, it would take a lot of work for someone to create a download that came up with the same SHA-1 sum and somehow get it on to the Raspberry Pi download pages.

Read Linus Torvalds comments on git and SHA-1 here https://plus.google.com/+LinusTorvalds/ ... tp2gYWQugL

User avatar
DougieLawson
Posts: 39165
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SHA-1 is Dead

Wed Mar 01, 2017 8:53 am

Even if it's possible, it's unlikely to change before Debian Buster (the one after Debian Stretch) in a couple of years time.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

Return to “Raspberry Pi OS”