search

jrossi / issue-migration-test

GNU General Public License v2.0
1 stars 0 forks source link

SHA-256 / SHA-512 support #43

Open jrossi opened 10 years ago

jrossi commented 10 years ago

Duplicated from dcid's bitbucket:

Support SHA-256 and/or SHA-512 algorithms. From my point of view, these algorithms are needed since MD5 and SHA-1 are depreciated. Integrity check with both actual algorithm is very secure, this issue is more linked to security policy (next FIPS 140-x, NATO, national government...)

Note: This issue has been automatically migrated from Bitbucket Created by sshinn on 2013-08-02 18:15:49+00:00, last updated: 2013-11-25 15:10:12+00:00

jrossi commented 10 years ago

Ok unless some can come up with a reason why I am selecting sha2 (256) has and Blake2 for next version of hashing.

Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-11-24 17:18:26+00:00

jrossi commented 10 years ago

Do we still need two hashing function? I would rather have only a strong one.

Note: This comment has been automatically migrated from Bitbucket Created by northox on 2013-11-25 03:29:11+00:00

jrossi commented 10 years ago

I don't think so. http://stackoverflow.com/questions/4014090/is-it-safe-to-ignore-the-possibility-of-sha-collisions-in-practice . Think that links does a good job of why, But i am staying with history and keeping two just so I don't have to deal with the fallout from people that don't agree with me. This is just a battle I am not willing to fight. :) I can be sold if you can come up with a problem with blake2 or sha2(256).

Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-11-25 03:37:39+00:00

jrossi commented 10 years ago

I think two hashing algorithms would be useful simply due to the availability of malware lists that we might come across. Some may use MD5 and others SHA256. We likely won't have original samples to recreate the hashes, so supporting both would allow us to use more data sources.

Note: This comment has been automatically migrated from Bitbucket Created by mstarks01 on 2013-11-25 03:55:09+00:00

jrossi commented 10 years ago

Ok so the hash for the file system integrity check is used to find malicious files? Isn't that the least effective way of identifying malware?

Note: This comment has been automatically migrated from Bitbucket Created by northox on 2013-11-25 04:29:40+00:00, last updated: 2013-11-25 04:34:22+00:00

jrossi commented 10 years ago

Well, we're not an AV vendor, so I don't think that's the goal. I think the goal is to more intelligently interpret and tune the checksum alerts. If we can check a hash against a list or look it up using something like the VirusTotal API and it returns a match, then it makes sense to alert on that differently. Conversely, if we can look it up in a list of known good hashes, such as those that CentOS publishes with their updates, it makes sense not to necessarily alert.

Note: This comment has been automatically migrated from Bitbucket Created by mstarks01 on 2013-11-25 15:10:12+00:00