MD5 checksum available, but SHA1 is gone in SUSEStudio?

After building an appliance within SUSEStudio, and clicking on the Verify hash/sums option, in the past there were both MD5 and SHA1 sums. The last time I checked, yesterday or earlier today, there is now only an MD5 checksum, but MD5 and SHA1 checksums continue to be mentioned for this feature/area. I’m surprised SHA1 was removed, but further surprised over the continued use of MD5 and SHA1 worldwide.

I vote for the removal of MD5 in SUSEStudio and instead of bringing back SHA1, introduce my proposal below.

  • First, a note about MD5: “The security of the MD5 hash function is severely compromised.”](http://en.wikipedia.org/wiki/MD5#Security) - Wikipedia

  • As for SHA1: “In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable.”](http://en.wikipedia.org/wiki/Sha1) - Wikipedia

I recommend switching to a combination of SHA-512 and Whirlpool.

I just rebuilt one of my images and noted the absence of SHA1 as well.
Will pass that upstream.

Something to bear in mind is that the “vulnerabilities” listed have to do
with using it in a crypto/security/password hashing scenario. For
checksums, I don’t see that this would be quite as severe an issue, since
the file size and hash together would tend to not result in a collision
that was meaningful.

Jim


Jim Henderson
openSUSE Forums Administrator

Yes we removed the SHA1 checksums as they were taking up considerable UI
real estate and most users do not seem to use it. We can add it back if
there is a genuine demand/use case for it.

As Jim had already explained, the checksum provided here is only for
verifying that the download is free of corruption, and not for
cryptography. Hence the security weakness of MD5 is irrelevant here.

Cheers,
James