On Sat, Nov 26, 2005 at 10:59:57AM +0100, Florian Weimer wrote: > For the "exploits" we have seen so far to work, the malicious party > needs upload access to the archive and has to plant a specially > crafted package there, for which they have created an evil twin > package. (Same for attacking one of the text files listing hashes.) > Looks a bit far-fatched to me. Not really. Joining Debian isn't particularly difficult, and it might not even be out of the question to find someone who'll sponsor an upload without rebuilding the .deb. I think it's safe to imagine that there are developers right now who've done some shady things in the past; is it that far fetched to imagine it's worth protecting against developers who try to abuse their priveleges? The way we do that has to be mostly after the fact, of course: someone uploads a bad package, people find out it's bad, we trace it back to whoever uploaded it, then we kick them out of the project. But that only works if the bad package is actually discovered. If the .deb's distributed across hundreds of mirrors and to thousands of users, it's reasonably likely that it will be discovered; but if it's possible to target the attack against an individual user, and leave the rest of the Debian universe untouched, you've got a much better chance of not getting caught. Hence: distribute an iced .deb in the archive, that does no harm ever and thus needn't arouse any suspicion; and sneak a fire .deb that has the exploit activated onto the mirror of your target. "Looks a bit far-fetched" comes under the "famous last words" heading for security analysis. Worse, the existance of a practical md5(A+B+C)=md5(A+D+C) attack means that it's not out of the question that there're md5(A+B)=md5(C+D) attacks in the hands of particularly well resourced groups (which is worse, since the version uploaded to the archive could then be entirely innocent looking). Personally, I don't have any interest in making the NSA's job any easier, or that of other signals intelligence groups. > >> Moving away from MD5 is certainly not a bad idea, but it's not clear > >> whether the alternatives are any better. Sure, everyone recommends > >> SHA-256 at this stage, but nobody can give a rationale. > > MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or > > higher) are significantly harder to break in practice, > So? If SHA256 is so much better, why is that nobody can prove it, or > at least can provide some evidence which supports that claim? "The > numbers are bigger" is the main argument at this point, which is > awfully similar to the usual snake-oil arguments (although there is a > slight difference, of course). SHA256 is better than SHA1 in the same way 2048 bit RSA keys are better than 512 bit RSA keys. MD5 is broken, and isn't extensible. SHA1 is fragile, but not broken, and is extensible. Do you have other suggestions? > > and there's nothing better yet. > In terms of security, there are some better hash functions. My understanding was that there aren't other hash functions that've had remotely similar levels of cryptographic analysis to md5 and sha. IIRC, the elliptic curve cryptography stuff was supposed to be similarly neat, until people started analysing it seriously, at which point it broke. Cheers, aj
Attachment:
signature.asc
Description: Digital signature