Results 1 to 3 of 3

Thread: MD5 checksum available, but SHA1 is gone in SUSEStudio?

  1. #1

    Lightbulb MD5 checksum available, but SHA1 is gone in SUSEStudio?

    After building an appliance within SUSEStudio, and clicking on the Verify hash/sums option, in the past there were both MD5 and SHA1 sums. The last time I checked, yesterday or earlier today, there is now only an MD5 checksum, but MD5 and SHA1 checksums continue to be mentioned for this feature/area. I'm surprised SHA1 was removed, but further surprised over the continued use of MD5 and SHA1 worldwide.

    I vote for the removal of MD5 in SUSEStudio and instead of bringing back SHA1, introduce my proposal below.

    * First, a note about MD5: "The security of the MD5 hash function is severely compromised." - Wikipedia

    * As for SHA1: "In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable." - Wikipedia



    • I recommend switching to a combination of SHA-512 and Whirlpool.

  2. #2
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,043

    Default Re: MD5 checksum available, but SHA1 is gone in SUSEStudio?

    I just rebuilt one of my images and noted the absence of SHA1 as well.
    Will pass that upstream.

    Something to bear in mind is that the "vulnerabilities" listed have to do
    with using it in a crypto/security/password hashing scenario. For
    checksums, I don't see that this would be quite as severe an issue, since
    the file size and hash together would tend to not result in a collision
    that was meaningful.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator

  3. #3

    Default Re: MD5 checksum available, but SHA1 is gone in SUSEStudio?

    Yes we removed the SHA1 checksums as they were taking up considerable UI
    real estate and most users do not seem to use it. We can add it back if
    there is a genuine demand/use case for it.

    As Jim had already explained, the checksum provided here is only for
    verifying that the download is free of corruption, and not for
    cryptography. Hence the security weakness of MD5 is irrelevant here.

    Cheers,
    James

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •