Re: Apt-get is insecure

To: jorel@austin.rr.com
Cc: debian-security@lists.debian.org
Subject: Re: Apt-get is insecure
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Fri, 14 Dec 2001 10:27:42 +0100
Message-id: <[🔎] 20011214092742.GA20172@dat.etsit.upm.es>
In-reply-to: <[🔎] Pine.LNX.3.96.1011213175841.23865A-100000@trillian>
References: <[🔎] 20011213162430.GB14968@wiggy.net> <[🔎] Pine.LNX.3.96.1011213175841.23865A-100000@trillian>

On Thu, Dec 13, 2001 at 06:05:29PM -0600, Jor-el wrote:
> On Thu, 13 Dec 2001, Wichert Akkerman wrote:
> 
> 	Note that if the packages are PGP / GPG signed, the problem is
> only a little less acute. Mr. Cracker could sign the package with his /
> her key. How would a user know that Mr. Cracker is not infact the
> maintainer?
> 
	This does not make the problem acute, it makes it impossible for the hacker to
trow a troyan at you. The following reasoning explains it (I hope):

- I configure my system to only accept packages signed with PGP/GPG keys I trust. Since
the debian keyring is distributed as a package and signed too. I have in my hands all
the maintainer's GPG/PGP keys (you have to trust the first signature, that is, the one
of the keyring package, which should be a well-known, easy to verify signature, for
example: James Troup). You can use debsig-verify for this

- I setup whatever mirror I like for downloading packages

- Attacker gets hold of the mirror and introduces a package (or modifies one)

- My system will not install the offending package because:

	a) the package cannot be signed properly by a Debian maintainer (the attacker
	has no access to the private key of a maintainer)

	b) if the package is signed by another person which I do not thrust (the 
	attacker) it will not install it (since I configure it not to)

Of course, these scheme has the handicap that it can work easily when you are using
stable and proposed-updates. If you are following unstable you need to update your
keyring often due to new maintainers entering the queue.

A far better scheme was the one proposed by Wichert (signing only one file: Packages.gz
and stablish a trust relationship like this):

- When I update my system I download a Packages.gz file which is properly signed by a
well-known authority (Ben? Wichert? James?) and distributed to the mirrors

- Attacker gets into the mirror and changes around packages. Note that he cannot add
new ones since, even if he canot modify the Packages.gz he cannot regenerate the
signature (if you update it the signature will not verify correctly)

- I now update my packages

- Package B, a troyan, is downloaded to my system. The MD5 sum is checked against the
one in Packages.gz, since it does not match, that package is discarded (i.e. not
installed)

	From what I know, this will be supported scheme in the next release.

	Hope I made myself clear.

	Javi

Reply to:

Follow-Ups:
- Re: Apt-get is insecure
  - From: Wichert Akkerman <wichert@wiggy.net>

References:
- Re: Apt-get is insecure
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: Apt-get is insecure
  - From: Jor-el <jorel@trillian.megadodo.umb>

Prev by Date: Re: ssh and root
Next by Date: Re: Apt-get is insecure
Previous by thread: Re: Apt-get is insecure
Next by thread: Re: Apt-get is insecure
Index(es):
- Date
- Thread