Intel® Quartus® Prime Software
Intel® Quartus® Prime Design Software, Design Entry, Synthesis, Simulation, Verification, Timing Analysis, System Design (Platform Designer, formerly Qsys)
Announcements
Intel Support hours are Monday-Fridays, 8am-5pm PST, except Holidays. Thanks to our community members who provide support during our down time or before we get to your questions. We appreciate you!

Need Forum Guidance? Click here
Search our FPGA Knowledge Articles here.
15478 Discussions

I would like to know the official SHA-256 or SHA-512 hashes of the following Quartus d/l files: Quartus-pro-18.1.0.222-devices-3.tar Quartus-pro-18.1.0.222-linux.tar

JGurn
Beginner
945 Views

The official site only has md5 sums, which can have collisions easily created, and the official site serves them over HTTP, so the attacker wouldn't even need to create a collision, the attacker could just change the md5 on the page to their malware infected version.

 

Not being able to verify that the d/l official came from Intel means that it increases the chances that my machine will be infected w/ malware.

 

Note: if you're a user (not an official Intel rep), posting your hashes only marginally helps. W/o knowing your path and ensuring it is disjoint from mine just means we could be attacked by the same attacker. Best is to get an official statement from an Intel employee as to the hash.

0 Kudos
1 Reply
HRZ
Valued Contributor II
107 Views

I agree that MD5 is already far outdated and that downloads should be served over HTTPS, but if an attacker has tapped so deep into your network that he can capture, modify and replay your connections, there are far easier ways to infect you than going for a real-time chosen-prefix collision on 10-20 GB Quartus archives.

 

 

You could probably provide your feedback directly to Intel in this case through the Website Feedback form:

https://www.intel.com/content/www/us/en/forms/corporate/webmaster-contact-us.html

Reply