Date: Thu, 11 Mar 2010 05:53:28 +1100 From: Peter Jeremy <peterjeremy@acm.org> To: Elmar Stellnberger <elmstel@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD Message-ID: <20100310185328.GD37825@server.vk2pj.dyndns.org> In-Reply-To: <4B97AB28.8060403@gmail.com> References: <4B97AB28.8060403@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger <elmstel@gmail.com> wrote: > I believe it would be highly desireable to have an online md5sum >verification for FreeBSD as this is already implemented by checkroot >(http://www.elstel.com/checkroot/) for openSUSE. You are welcome to adapt your tool to support FreeBSD and have it included in the ports system. That said, it's unclear that your tool offers any benefits over the freebsd-update(8) tool that is part of the FreeBSD base system. >The only thing that I have found about it is: >"DS Compare the system against a "known good" index of the installed >release.'" As well as freebsd-update(8), the FreeBSD base system includes mtree(8) - which can be used to generate and check file hashes. Other tools, such as tripwire, are available in the ports tree. >However this known good index would need to be stored on a FreeBSD >server because everything that is stored locally can be altered by an >intruder. This isn't completely true - the known good index could be stored on read-only media - CD-ROM or write-protected floppy. Note that an intruder could equally easily modify the checkroot executable unless it is also stored on read-only media. (And even a statically linked checkroot won't protect against a suborned kernel). I notice that your tool only appears to store MD5 hashes - I presume you are aware that the MD5 algorithm has been shown to have a number of weaknesses and is not recommended for new applications. This is why FreeBSD has moved to using a combination of MD5 and SHA256. Also, your website mentions DSA is unsafe. Could you please provide a reference for this claim as I am unaware of any results suggesting that DSA is less secure than RSA. --=20 Peter Jeremy --AkbCVLjbJ9qUtAXD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkuX6qgACgkQ/opHv/APuIe1UgCgksJy5Ivo9uNtwa45rNnCmlhd qRwAn0IM9rGFKvLhTr2PQGRbZVcObjT/ =U6DK -----END PGP SIGNATURE----- --AkbCVLjbJ9qUtAXD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100310185328.GD37825>