Date: Mon, 13 Jan 2003 00:51:07 -0500 From: "Nathan J. Yoder" <njyoder@gummibears.nu> To: freebsd-security@FreeBSD.org Subject: digital signatures for downloads Message-ID: <6121584208.20030113005107@gummibears.nu>
next in thread | raw e-mail | index | archive | help
I'd like to suggest that the downloads for FreeBSD systems (whether directly through *.FreeBSD.org or not) should be digitally signed. By digital signature I don't simply mean a bare MD5 hash, as that could have been changed in transit. Most importantly, this would include cvs files transferred via cvsup (FreeBSD source and ports), pre-compiled binary packages and security patches. While the FreeBSD security advisories are signed, they don't include secure hashes of the patches, rather they just provide an insecure FTP link. This leaves it wide open for a MITM attack (in the case of FTP this is relatively easy if you can sniff traffic and the person uses active mode). Realistically it would probably be very difficult to insert a source trojan into most of the patches considering their small size (at least to anyone who actually checked them), but it is definitely needed for other types of downloads like cvsup. By launching a MITM attack on a cvsup connection an attacker can choose to modify/add/delete the source to any file in the tree, which is unlikely to be detected by most users. This can be done to insert a trojan anywhere in the source. This applies to both the FreeBSD source and ports collection. Yes, the ports collection does include MD5 hashes, but someone capable of a MITM attack can change the hash to that of the evil trojaned version. Lastly we have pre-compiled binaries. These can either be flat out replaced with a trojaned version or do some kind of real time code injection into the binary. Anyway, the solution to all this is relatively simple as stated above, digitally sign all the stuff with specially designated FreeBSD keys that are automagically verified without the user having to do anything (this would be done by _default_ with the capability to disable). For patches and pre-compiled binaries a simple front-end script can be used to download the file, verify it, then pass on the full fledged file to continue processing it. Perhaps a clever person could hide the signature inside of the aout/ELF binary itself (like authenticode *gag*), but that might add needless complication. With cvsup this may be possible with a hack on the client side. This would involve digitally signing all source files, then using a special naming scheme to create a digital signature file that corresponds to a given file (i.e. happy.c.sig would correspond to happy.c). The hack comes in by modifying the cvsup client to automatically verify the signatures for files automagically. Or I suppose the make system could be made to verify signatures upon the making of files. Now of course the problem here is that there are a lot of files to sign, so this may be worked around by signing multiple files in the same signature (like signing a giant conglomerate file). Now keep in mind all this may have already been compensated for and I'm just smoking crack, but I just want to make sure something is done either way. I'd be willing to help implement the changes to FreeBSD to make this signature stuff happen if I can get some supporters. I have a cat on my head, weeeeeeee.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6121584208.20030113005107>