[Cryptography] Kali Linux security is a joke!

[Tom Mitchell]

On Tue, Mar 17, 2015 at 11:35 AM, Dave Horsfall <dave at horsfall.org> wrote:

> On Mon, 16 Mar 2015, Henry Baker wrote:
>
> [...]
>
> > What's the point of verifying md5sums against official values, if Kali
> > can't even get the "official values" securely ??
>
> I'm a bit concerned about the use of MD5; was it not broken i.e.
> collisions detected some years ago?
>

Broken, chipped, cracked... ???
All the package tools Redhat, Debian, Kali ... all need to be improved.
The missing bits are how to design a robust & improved package system
and having done that transition to the new system.

Collisions happen but can a replacement package be promptly generated
with specifically hacked new code bits with any level of usefull (to the
hacker)
reliability and timeliness.

A baby step would be for the top level to publish multiple checksums and
bit counts for all packages old and new and sign that file PGP style with
a strong key.   This file can (should)  be behind a https server and those
that worry
can first pull packages from the mirror system.  And second check them all
ways to Sunday
and then update if and only if the packages match the set of hash function
results and the tabulation of multiple functions be correctly signed.

Hash collisions that apply to three or more hash functions demand that
all the functions be broken.

Other baby steps may yield more value.
A baby step does not break current methods but adds additional validation
to the side.
It can be cast aside after the replacement is designed, tested and deployed.







-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150317/5b2c1ac4/attachment.html>