| View previous topic :: View next topic |
| Author |
Message |
nero
n00b
Joined: 08 Aug 2002
Posts: 66
|
 Posted: Wed Sep 29, 2004 4:46 am Post subject: |
 |
|
| thrasher6670 wrote: | | and as far as GPG digning the package... I think that would be a little difficult to get done as enough of the ebuilds download directly from the website of the program and not a portage mirror |
Not really. The file signatures are stored on the RSYNC servers which are updated by gentoo. Only the tarballs themselves are downloaded from non-gentoo servers.
In fact, why aren't we using an advanced signature system for all of the RSYNC data. The code to do things like this is literally all over the place. It has been done thousands of times over. This is a case where the effort involved totally justifys the increase in security.
Lets face it, gentoo is becoming mature and therefore a target. |
|
| Back to top |
|
 |
spb
Retired Dev
Joined: 02 Jan 2004
Posts: 2135
Location: Cambridge, UK
|
| Posted: Wed Sep 29, 2004 10:13 am Post subject: |
|
|
| nero wrote: | | In fact, why aren't we using an advanced signature system for all of the RSYNC data. The code to do things like this is literally all over the place. It has been done thousands of times over. This is a case where the effort involved totally justifys the increase in security. |
It's in development. Once the support is there in Portage (which it mostly is), people will start signing the ebuilds properly. |
|
| Back to top |
|
|
ciaranm
Retired Dev
Joined: 19 Jul 2003
Posts: 1719
Location: In Hiding
|
| Posted: Wed Sep 29, 2004 12:19 pm Post subject: |
|
|
| spb wrote: | | nero wrote: | | In fact, why aren't we using an advanced signature system for all of the RSYNC data. The code to do things like this is literally all over the place. It has been done thousands of times over. This is a case where the effort involved totally justifys the increase in security. |
It's in development. Once the support is there in Portage (which it mostly is), people will start signing the ebuilds properly. |
Oh, it's there already, and a lot of developers *do* sign Manifests. Currently though a) eclasses aren't signed, and b) portage is set to only generate md5 digests, so it's not exactly perfect  |
|
| Back to top |
|
|
venator
n00b
Joined: 03 Feb 2003
Posts: 20
Location: Switzerland
|
| Posted: Wed Oct 06, 2004 1:45 pm Post subject: |
|
|
| Signing the hashes will not help against flaws in the hash function. While there is no way known to turn the recently found flaws in md5 into a targeted attack, it would be more than advisable to PLAN switching from md5 to sha1 as hash algorithm NOW. |
|
| Back to top |
|
|
kibu
n00b
Joined: 09 Oct 2004
Posts: 2
|
| Posted: Sat Oct 09, 2004 12:49 pm Post subject: |
|
|
| tomstdenis wrote: |
It's actually very easy todo.
say X != Y and md5(X) == md5(Y) (which is possible todo now just not useful cuz they differ by a few specific bits) then...
MD5(X + Q) == MD5(Y + Q)
Tom |
say X= something.tar.bz
now Y+Q must be a valid tar.bz file,
tha harder part to do is X+Q must be a valid tar.bz file too...
on top one must make Q a valid program. |
|
| Back to top |
|
|
marcansoft
n00b
Joined: 30 May 2004
Posts: 19
|
| Posted: Mon Oct 11, 2004 11:28 am Post subject: |
|
|
| kibu wrote: | | tomstdenis wrote: |
It's actually very easy todo.
say X != Y and md5(X) == md5(Y) (which is possible todo now just not useful cuz they differ by a few specific bits) then...
MD5(X + Q) == MD5(Y + Q)
Tom |
say X= something.tar.bz
now Y+Q must be a valid tar.bz file,
tha harder part to do is X+Q must be a valid tar.bz file too...
on top one must make Q a valid program. |
Say you have two colliding chunks of binary data, X and Y. YOu can find at least a couple of those in common places. MD5 is incremental, so
md5(A+X+B)==md5(A+Y+B) (might have to align it or something, to have it match the MD5 processing chunk, but that is no problem)
You have a tarball, Z, which contains code to check itself (looking in /usr/portage/distfiles for example) for which chunk of data you have.
Now you include chunk A in the gzip header (it CAN be done, the same way transgaming tags cedega downloads; gzip has room for that stuff) and send it to a dev; he takes it, likes it, and it goes into portage. Swap the tar.gz in your server with the B version. Now your script sees the tarball is the "B" tarball and does some nasty stuff.
Easy. |
|
| Back to top |
|
|
placeholder
Advocate
Joined: 07 Feb 2004
Posts: 2500
|
| Posted: Mon Oct 11, 2004 11:50 am Post subject: |
|
|
Oh come on, there is no reason to be this technical. Even when the MD5 sums do not match, I just rebuild the digest and compile it.  However, making MD5 sums match is a lot harder than A + B = A + C. You must remember that all parts must still be 100% identical in order to work correctly. Also, I doubt that anyone will take the time to even try that. |
|
| Back to top |
|
|
nightm4re
Guru
Joined: 20 Jun 2004
Posts: 519
Location: Providence, RI, USA
|
| Posted: Mon Oct 11, 2004 1:32 pm Post subject: |
|
|
| venator wrote: | | Signing the hashes will not help against flaws in the hash function. While there is no way known to turn the recently found flaws in md5 into a targeted attack, it would be more than advisable to PLAN switching from md5 to sha1 as hash algorithm NOW. |
in the last issue of new scientist, the md5 vulnerability was discussed.. and in the same article, there was a vulnerability discussed about sha1 as well, which was very similar to the exploit in the md5.
so i'm not sure the move to sha1 is gong to do anything!
_________________
Nitrogen - GtkMM based background setter/restorer, please test!
Minuslab | d.minuslab.net |
|
| Back to top |
|
|
peshwengi
n00b
Joined: 01 Aug 2003
Posts: 66
Location: London, UK
|
| Posted: Fri Oct 15, 2004 3:28 pm Post subject: |
|
|
If you were to take two hashes, using both algorithms, would this guard against the attack?
i.e. is it possible that:
(X != Y)
&&
(MD5(X) == MD5(Y))
&&
(Sha1(X) == Sha1(Y))
or not? |
|
| Back to top |
|
|
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Fri Oct 15, 2004 3:56 pm Post subject: |
|
|
That is always possible, as you are representing Z number of bits as 128bits. There will have to be overlaps, but you have to take this into account.
MD5(X) has a very small time to calculate
MD5(X + exploit) = MD5(X) has a very large time to calculate
The recent weaknesses are basically saying that it may not be as long to calculate as we thought.
The attack that started this thread says, "I can generate X and X+exploit that have the same MD5 hash much faster because I can toy with both sets of data and md5 has been shown to be weaker than we thought." It's a pretty special case and still non-trivial.
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
|
Gentoo Chat
