10

I have downloaded a Debian ISO with jigdo, the download has finished successfully, and printed the following message:

FINISHED --2021-01-22 11:57:20-- Total wall clock time: 4.3s Downloaded: 9 files, 897K in 1.8s (494 KB/s) Found 9 of the 9 files required by the template Successfully created `debian-testing-amd64-netinst.iso' ----------------------------------------------------------------- Finished! The fact that you got this far is a strong indication that `debian-testing-amd64-netinst.iso' was generated correctly. I will perform an additional, final check, which you can interrupt safely with Ctrl-C if you do not want to wait. MD5 from template: l2l48nbYVylT4qrQ0Eq3ww MD5 from image: l2l48nbYVylT4qrQ0Eq3ww OK: MD5 Checksums match, image is good! WARNING: MD5 is not considered a secure hash! WARNING: It is recommended to verify your image in other ways too!

Debian offers three ways to verify an ISO image: sha1sums, md5sums and sha256sums. The sha1sum is considered vulnerable to collision attack but I have heard nothing about MD5.

Why is MD5SUM considered an insecure hash? Is the SHA256SUM the only secure way to verify a downloaded debian ISO?

Improve this question
2
  • 3
    Those checksums are typically not meant as a security protection as the checksum file is stored on the same website or fileserver as the ISO. But even if you wold obtain them offline, they are still 2nd pre-image resistant, so switching to a larger has is more or less cargo cult, but it doe not hurt to avoid algorithms which could fail in certain usage (besides the extra cpu and size overhead) Commented Jan 22, 2021 at 23:23
  • 3
    You have "heard nothing about MD5" simply because its obsolescence is old news! It has been considered vulnerable since at least 2005, whereas public SHA-1 collisions have been news in the past 5-6 years. Commented Jan 23, 2021 at 6:33

1 Answer 1

Reset to default
19

MD5 and SHA-1 are both vulnerable to (chosen-prefix) collision attacks. The SHA2 (SHA-256, SHA-384, SHA-512, …) and SHA3 families of hash functions are not.

What a chosen-prefix collision attack means is that given a prefix and a suffix, it's possible to find two middles such that prefix+middle1+suffix and prefix+middle2+suffix have the same hash. In the context of system images, this allows someone to generate an image that's perfectly fine, distribute it, then surreptitiously change it to replace part of it with some malware. The modification won't be detected easily because the original version and the modified version both have the same hash.

For MD5, a collision attack is dirt cheap, you can run it instantly on your PC. For SHA-1, a collision attack is moderately expensive (~USD 45k as of 2020). For SHA2 and SHA3, there is no known way to generate a collision attack even with an NSA level of computing power.

Even with MD5 or SHA-1, there is no known way to take an existing image and find another image with the same hash (a second preimage attack). The original image must be specifically crafted to make the attack possible.

Improve this answer
5
  • 4
    What a collision attack means is that an attacker can generate a pair of ISOs, one of which is innocent and one of which is malicious, that both have the same MD5 sum. It does not mean that an attacker can generate a malicious ISO with the same MD5 sum as someone else's innocent ISO (that would be a preimage attack). Commented Jan 23, 2021 at 1:54
  • 2
    What you describe is a chosen-prefix collision attack, which is more difficult than regular collision attack. But yes, MD5 is still insecure. Commented Jan 23, 2021 at 5:24
  • What I always find hard to believe is that you can create a collision that's also a valid ISO image, valid executable code, and implements the desired malware function. It seems like you would also have to insert lots of unexecuted data to produce the desired hash. Commented Jan 27, 2021 at 20:10
  • 1
    @Barmar It's easy to hide something in a place where nobody will care! The MD5 and SHA-1 collision generation technique lets you have a common prefix of your choice, then a few garbage bytes, then more data of your choice which you can change at will without impacting the hash value, then a few more garbage bytes, then a common suffix of your choice. For example the garbage bytes could be a few pixels of a picture, or an EXIF comment. On a filesystem image, they could be unused space. See how it was done for a PDF file in the first (public) SHA-1 collision. Commented Jan 27, 2021 at 20:24
  • "Take an existing image and find another" is called a second pre-image attack. "Pre-image" usually refers to "first pre-image". Commented Sep 23, 2021 at 12:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.