Date: Mon, 12 Mar 2001 11:49:14 +0200 From: Maxim Sobolev <sobomax@FreeBSD.org> To: Trevor Johnson <trevor@jpj.net> Cc: Kris Kennaway <kris@obsecurity.org>, ports@FreeBSD.org, Alistair Crooks <agc@pkgsrc.org> Subject: Re: new message digest support in pkgsrc (fwd) Message-ID: <3AAC9B99.159B7527@FreeBSD.org> References: <20010312034212.A2937-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Trevor Johnson wrote: > > > I'd like to see: > > > - the 160-byte hashes permitted (not required) in the distinfo file. > > > - a "makesum" target which generates all three hashes, using openssl. > > > - a "checksum" target which uses whichever hashes exist in distinfo. > > > > All this applies only if we presume that the checksum checking has any strong security associated with > > it. I have strong doubts about that, because: > > 1. No effective attack scheme has been shown yet; > > A scheme has been described which is computationally expensive but not > infeasible. See the references I gave. I did not mean md5 attack, I meant scheme of attack using trojaned distfile specially tailored in such a way that its md5 checksum matches original one. This attack while possible in principle, but have the following difficulties, that turn its possibility close to 0: - attacker should specially tailor trojaned distfile to have the same checksum as original one (md5 attack); - attacker should put trojaned distfile onto one of the MASTER_SITES; - attacker should ensure somehow that the victim will fetch trojaned distfile from that site; - attacker should ensure that the victim will build that package. > Perhaps you mean that we should wait for black-hat hackers to demonstrate > the ineffectiveness of MD5 by conducting attacks on us. If we knew which > files were involved in the attack, then we could suddenly change to > another hash, calculate the new hashes without inspecting the contents > of each file, and be fine. If we didn't know which files were compromised > (for example, if the hackers didn't tell us), then we'd have a problem. > > > 2. I feel that it is much easier to make a new cvsup/mirror server, that will distribute fake > > distinfo's/trojaned distfiles for selected clients, than perform costly hash search. > > As I said, I don't want to force anyone--porter or ports user--to > calculate hashes they don't want to calculate. I realize that some people > still rely on '386 computers, and that FreeBSD needs to run on those. I > acknowledge that there are other attacks which (at least now) are probably > much easier than the one I described. If it's practical, those should be > addressed as well. Their existence is not a reason not to adopt longer > hashes, any more than the existence of bad drivers on the roadways is a > reason not to drive carefully or wear a seat belt, or even both at the > same time. Well, in my view another analogy is more appropriate here: existence of air bags doesn't mean that they should be installed on each transportation device, even where it could not help anyway, say bicycle, air plane, motorcycle and so on. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAC9B99.159B7527>