Re: some feedback about security from the user's point of view
While the attack sequence presented is valid, in practice, given that
there are a lot of "Debian based" distributions out there, wouldn't this
be caught somewhere down the line?
Having said that, I fully agree that MD5 should no longer be recommended.
On 01/24/2011 09:42 AM, René Mayrhofer wrote:
> Am Sonntag, 23. Januar 2011, um 20:52:44 schrieb AK:
>> Regarding the MD5 sum example and certain released PoCs: producing two
>> "random" files with identical MD5 sums is one thing, introducing a
>> meaningful backdoor (which means deterministic change) or ten in a
>> Debian iso and generating an iso file which is similar in size to the
>> original one and has an identical MD5 sum might be a tad more
>> computationally difficult (this is my estimation), especially for
>> something as short-lived as a Linux CD image.
> With control over a single Debian package (read: when a Debian developer is in on the attack), it could be easily done including plausible deniability for the involved developer:
> 1. Place a random (but large enough) binary blob into a binary installed by a package. The binary blob in the Debian package as uploaded to the archive is competely harmless and may just look odd (if it was detected, that is).
> 2. Create a second binary blob with a collision (but with harmful content). This is fairly easy to do if the two blobs are similar save for a small, known-to-collide part.
> 3. Wait for the uploaded package to appear in an ISO and the MD5 sums to be created
> 4. Replace the binary blob, the MD5 sum still matches.
> 5. Give somebody the changed ISO....
> So yes, MD5 should no longer be recommended.
> best regards,