[Python-ideas] Using sha512 instead of md5 on python.org/downloads

Christian Heimes christian at python.org
Sat Dec 8 10:06:51 EST 2018 

On 08/12/2018 05.55, Gregory P. Smith wrote:
> 
> On Fri, Dec 7, 2018 at 3:38 PM Steven D'Aprano
> <steve at pearwood.info
> <mailto:steve at pearwood.info>> wrote:
> 
>     On Fri, Dec 07, 2018 at 01:25:19PM -0800, Nathaniel Smith wrote:
> 
>     > For this specific purpose, md5 is just as good as a proper hash.
>     But all
>     > else being equal, it would still be better to use a proper hash,
>     just so
>     > people don't have to go through the whole security analysis to
>     check that.
> 
>     I don't understand what you are trying to say here about "the whole
>     security analysis" to check "that". What security analysis, and
>     what is "that"?
> 
>     It seems to me that moving to a cryptographically-secure hash would
>     give
>     many people a false sense of security, that just because the hash
>     matched, the download was not only not corrupted, but not
>     compromised as
>     well. For those two purposes:
> 
>     - testing for accidental corruption;
>     - testing for deliberate compromise;
> 
>     md5 and sha512 are precisely equivalent: both are sufficient for the
>     first, and useless for the second. But a crypto-hash can give a false
>     sense of security. The original post in this thread is evidence of that.
> 
>     As such, I don't think we should move to anything stronger than md5.
> 
> 
> If we switched to sha2+ or listed 8 different hashes at once in the
> announcement text so that nobody can find the actual link content, we'd
> stop having people pipe up and complain that we used md5 for something. 
> Less mailing list threads like this one seems like a benefit. :P
> 
> Debian provides all of the popular FIPS hashes, in side files, so people
> can use whatever floats their boat for a content integrity check:
>  https://cdimage.debian.org/debian-cd/current/ppc64el/iso-cd/

By the way it's a common misunderstanding that FIPS forbids MD5 in
general. FIPS is more complicated than black and white lists of
algorithms. FIPS also takes into account how an algorithm is used. For
example and if I recall correctly, AES-GCM is only allowed in network
communication protocols but not for persistent storage.

Simply speaking:
In FIPS mode, MD5 is still allowed in **non-security contexts**. You
cannot use MD5 to make any security claims like file integrity. However
you are still allowed to use MD5 as non-secure hash function to detect
file corruption. The design and documentation must clearly state that
you are only guarding against accidental file corruption caused by
network or hardware issue, but as protection against a malicious attacker.

Christian

More information about the Python-ideas mailing list