From owner-freebsd-security@FreeBSD.ORG Wed Mar 10 21:36:09 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC8CD1065672 for ; Wed, 10 Mar 2010 21:36:08 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from fallbackmx10.syd.optusnet.com.au (fallbackmx10.syd.optusnet.com.au [211.29.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 2F0C28FC22 for ; Wed, 10 Mar 2010 21:36:07 +0000 (UTC) Received: from mail15.syd.optusnet.com.au (mail15.syd.optusnet.com.au [211.29.132.196]) by fallbackmx10.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id o2AIrVai019271 for ; Thu, 11 Mar 2010 05:53:31 +1100 Received: from server.vk2pj.dyndns.org (c122-106-253-149.belrs3.nsw.optusnet.com.au [122.106.253.149]) by mail15.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id o2AIrSUc027237 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Mar 2010 05:53:29 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id o2AIrSTe067740; Thu, 11 Mar 2010 05:53:28 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id o2AIrS6x067739; Thu, 11 Mar 2010 05:53:28 +1100 (EST) (envelope-from peter) Date: Thu, 11 Mar 2010 05:53:28 +1100 From: Peter Jeremy To: Elmar Stellnberger Message-ID: <20100310185328.GD37825@server.vk2pj.dyndns.org> References: <4B97AB28.8060403@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AkbCVLjbJ9qUtAXD" Content-Disposition: inline In-Reply-To: <4B97AB28.8060403@gmail.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@freebsd.org Subject: Re: online cheksum verification for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 21:36:09 -0000 --AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2010-Mar-10 15:22:32 +0100, Elmar Stellnberger wrote: > I believe it would be highly desireable to have an online md5sum >verification for FreeBSD as this is already implemented by checkroot >(http://www.elstel.com/checkroot/) for openSUSE. You are welcome to adapt your tool to support FreeBSD and have it included in the ports system. That said, it's unclear that your tool offers any benefits over the freebsd-update(8) tool that is part of the FreeBSD base system. >The only thing that I have found about it is: >"DS Compare the system against a "known good" index of the installed >release.'" As well as freebsd-update(8), the FreeBSD base system includes mtree(8) - which can be used to generate and check file hashes. Other tools, such as tripwire, are available in the ports tree. >However this known good index would need to be stored on a FreeBSD >server because everything that is stored locally can be altered by an >intruder. This isn't completely true - the known good index could be stored on read-only media - CD-ROM or write-protected floppy. Note that an intruder could equally easily modify the checkroot executable unless it is also stored on read-only media. (And even a statically linked checkroot won't protect against a suborned kernel). I notice that your tool only appears to store MD5 hashes - I presume you are aware that the MD5 algorithm has been shown to have a number of weaknesses and is not recommended for new applications. This is why FreeBSD has moved to using a combination of MD5 and SHA256. Also, your website mentions DSA is unsafe. Could you please provide a reference for this claim as I am unaware of any results suggesting that DSA is less secure than RSA. --=20 Peter Jeremy --AkbCVLjbJ9qUtAXD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkuX6qgACgkQ/opHv/APuIe1UgCgksJy5Ivo9uNtwa45rNnCmlhd qRwAn0IM9rGFKvLhTr2PQGRbZVcObjT/ =U6DK -----END PGP SIGNATURE----- --AkbCVLjbJ9qUtAXD--