md5 hashes used in security announcements

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

md5 hashes used in security announcements

Bas Steendijk
i have sent an email a while ago about the security implications of
using MD5 hashes in the security announcements (DSA), but i didn't get
any reply at all from this. has it been overlooked?


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Nico Golde-9
Hi Bas,
* Bas Steendijk <[hidden email]> [2008-10-24 15:44]:
> i have sent an email a while ago about the security implications of using MD5
> hashes in the security announcements (DSA), but i didn't get any reply at all
> from this. has it been overlooked?

I guess not, it's just strange that you think this is not
known to us.

Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [hidden email] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

attachment0 (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

paddy-9
On Fri, Oct 24, 2008 at 04:01:23PM +0200, Nico Golde wrote:
> Hi Bas,
> * Bas Steendijk <[hidden email]> [2008-10-24 15:44]:
> > i have sent an email a while ago about the security implications of using MD5
> > hashes in the security announcements (DSA), but i didn't get any reply at all
> > from this. has it been overlooked?
>
> I guess not, it's just strange that you think this is not
> known to us.

Is there a bug number ?

Regards,
Paddy
--
Segmentation fault (core dumped): .sig too big


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Florian Weimer
In reply to this post by Bas Steendijk
* Bas Steendijk:

> i have sent an email a while ago about the security implications of
> using MD5 hashes in the security announcements (DSA), but i didn't get
> any reply at all from this. has it been overlooked?

I don't know to which address you sent the address, so I don't know if
it's been overlooked.

My general take on this issue is that for this particular purpose, we
will stop using MD5 when someone comes up with an actual collision for a
hash published in a DSA.  It's not that these hashes are used for
automated processing.  We can't do anything about the old DSAs
containing MD5 hashes anyway.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Cyril Brulebois-4
Florian Weimer <[hidden email]> (24/10/2008):
> I don't know to which address you sent the address, so I don't know if
> it's been overlooked.

[hidden email] aka.
http://lists.debian.org/debian-security/2008/10/msg00030.html

Mraw,
KiBi.

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Bas Steendijk
In reply to this post by Florian Weimer
Florian Weimer wrote:

> * Bas Steendijk:
>
>> i have sent an email a while ago about the security implications of
>> using MD5 hashes in the security announcements (DSA), but i didn't get
>> any reply at all from this. has it been overlooked?
>
> I don't know to which address you sent the address, so I don't know if
> it's been overlooked.
>
> My general take on this issue is that for this particular purpose, we
> will stop using MD5 when someone comes up with an actual collision for a
> hash published in a DSA.  It's not that these hashes are used for
> automated processing.  We can't do anything about the old DSAs
> containing MD5 hashes anyway.
>
>

2 files with a colliding hash can only be made by someone who can
influence the creation of the file (thus, someone inside debian). he can
make a "good" and a "bad" version of a package with the same MD5, and
the same size. for someone to make a file with the same hash without
influence in the creation of the original file would be a preimage attack.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Raphael Geissert
Bas Steendijk wrote:
>
> 2 files with a colliding hash can only be made by someone who can
> influence the creation of the file (thus, someone inside debian). he can
> make a "good" and a "bad" version of a package with the same MD5, and
> the same size. for someone to make a file with the same hash without
> influence in the creation of the original file would be a preimage attack.

Yeah, but remember that the "bad" version must also be a valid .deb file with
something inside that does work; otherwise you may just be able to get some
random stuff with the same file size and md5 sum but without any use.

P.S. I'm not saying it is impossible (I actually don't know, but let's assume
that it is), but chances aren't high.

Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Kees Cook-9
On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote:

> Bas Steendijk wrote:
> >
> > 2 files with a colliding hash can only be made by someone who can
> > influence the creation of the file (thus, someone inside debian). he can
> > make a "good" and a "bad" version of a package with the same MD5, and
> > the same size. for someone to make a file with the same hash without
> > influence in the creation of the original file would be a preimage attack.
>
> Yeah, but remember that the "bad" version must also be a valid .deb file with
> something inside that does work; otherwise you may just be able to get some
> random stuff with the same file size and md5 sum but without any use.

Additionally, it doesn't matter -- it's just the md5 in the email
announcement.  The Release and Packages files for the archive have SHA1
and SHA256.  The md5 from the announcement is almost not important,
IMO -- no one should download files individually from the announcement.

--
Kees Cook                                            @outflux.net


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Sjors Gielen-3
Kees Cook wrote:
> Additionally, it doesn't matter -- it's just the md5 in the email
> announcement.  The Release and Packages files for the archive have SHA1
> and SHA256.  The md5 from the announcement is almost not important,
> IMO -- no one should download files individually from the announcement.

So if the Release and Packages files are using SHA1 and SHA256, why
aren't the announcements?

Sjors


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Florian Weimer
In reply to this post by Raphael Geissert
* Raphael Geissert:

> Yeah, but remember that the "bad" version must also be a valid .deb file with
> something inside that does work; otherwise you may just be able to get some
> random stuff with the same file size and md5 sum but without any use.

These days, you can generate meaningful collisions, perhaps not even
obviously part of an evil twin pair, provided the plaintexts share a
common prefix.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Kees Cook-9
In reply to this post by Sjors Gielen-3
On Fri, Oct 24, 2008 at 10:35:52PM +0200, Sjors Gielen wrote:
> Kees Cook wrote:
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement.  The Release and Packages files for the archive have SHA1
> > and SHA256.  The md5 from the announcement is almost not important,
> > IMO -- no one should download files individually from the announcement.
>
> So if the Release and Packages files are using SHA1 and SHA256, why
> aren't the announcements?

That's up to the people that control the template, but I would assume
because the template is based off of the changes files which until very
recently, only had md5s.  And besides, why make the announcement emails
even longer?  :)

--
Kees Cook                                            @outflux.net


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Alexander Konovalenko-3
In reply to this post by Kees Cook-9
On Sat, Oct 25, 2008 at 02:33, Kees Cook <[hidden email]> wrote:
> [...]
>
> Additionally, it doesn't matter -- it's just the md5 in the email
> announcement.  The Release and Packages files for the archive have SHA1
> and SHA256.  The md5 from the announcement is almost not important,
> IMO -- no one should download files individually from the announcement.

If no one should download files individually from the announcement,
there's no point in including that long list of package URLs and
hashes in the announcements at all. It would be enough to say, "Please
use apt or your favorite package manager to download the packages for
your system."


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

philsf79 (Bugzilla)
On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:

> On Sat, Oct 25, 2008 at 02:33, Kees Cook <[hidden email]> wrote:
> > [...]
> >
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement.  The Release and Packages files for the archive have SHA1
> > and SHA256.  The md5 from the announcement is almost not important,
> > IMO -- no one should download files individually from the announcement.
>
> If no one should download files individually from the announcement,
> there's no point in including that long list of package URLs and
> hashes in the announcements at all. It would be enough to say, "Please
> use apt or your favorite package manager to download the packages for
> your system."

+1

This is not the first time this subject "collides" in this list, but I don't
remember seeing a justification for such a long array of information I never
understoo the use for.

While I see the point of having an independent source for confirmation in case
of panic, if the Release and Package files are to be trusted, it seems the
version of the package should be enough, right?

Can anyone please explain why that long list of links and filenames is
interesting, or point to a link that does?

best regards
FF


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Martin-36
On 2008-10-25 07:09, Felipe Figueiredo wrote:
> Can anyone please explain why that long list of links and filenames is
> interesting, or point to a link that does?

I assume, it's tradition from the times, when only few people
used apt-get and friends (and many years apt-get did not have
signature support). A pointer to a "generic" description for
people who don't want to/cannot use apt-get would be sufficient
nowadays. Could someone from the security team correct me?


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Marcin Owsiany
In reply to this post by Raphael Geissert
On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote:

> Bas Steendijk wrote:
> >
> > 2 files with a colliding hash can only be made by someone who can
> > influence the creation of the file (thus, someone inside debian). he can
> > make a "good" and a "bad" version of a package with the same MD5, and
> > the same size. for someone to make a file with the same hash without
> > influence in the creation of the original file would be a preimage attack.
>
> Yeah, but remember that the "bad" version must also be a valid .deb file with
> something inside that does work; otherwise you may just be able to get some
> random stuff with the same file size and md5 sum but without any use.
>
> P.S. I'm not saying it is impossible (I actually don't know, but let's assume
> that it is), but chances aren't high.

It (generating good and bad package with colliding sum) is actually
easier than one might think. The reason is that you can embed any kind
of binary blob inside an executable and make the executable behavior
dependent on the "version" of the blob.

This is shown here for example:
http://www.mscs.dal.ca/~selinger/md5collision/
It was explained nicely in the "two PostScript files with identical MD5
hash" demo, but I cannot find it now.

--
Marcin Owsiany <[hidden email]>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

philsf79 (Bugzilla)
In reply to this post by Martin-36
On Saturday 25 October 2008 09:28:02 W. Martin Borgert wrote:
> On 2008-10-25 07:09, Felipe Figueiredo wrote:
> > Can anyone please explain why that long list of links and filenames is
> > interesting, or point to a link that does?
>
> I assume, it's tradition from the times, when only few people
> used apt-get and friends (and many years apt-get did not have
> signature support). A pointer to a "generic" description for
> people who don't want to/cannot use apt-get would be sufficient
> nowadays. Could someone from the security team correct me?


Well, if this is ever going to change, I guess the release of lenny would be a
nice time to do so. Any words, sec team?

regards
FF


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Florian Weimer
In reply to this post by Sjors Gielen-3
* Sjors Gielen:

> Kees Cook wrote:
>> Additionally, it doesn't matter -- it's just the md5 in the email
>> announcement.  The Release and Packages files for the archive have SHA1
>> and SHA256.  The md5 from the announcement is almost not important,
>> IMO -- no one should download files individually from the announcement.
>
> So if the Release and Packages files are using SHA1 and SHA256, why
> aren't the announcements?

Historical reasons, from the days where you got Debian on a set of
CD-ROMs and repositories were not cryptographically signed.  If we
change the format of the announcements, we'd rather drop the hashes
altogether (and the URLs).

The hashes are somewhat hard to verify anyway because you need to follow
the Debian project pretty closely to figure out if the signature on the
advisory is genuine because it's created by individual developers.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Bernd Eckenfels
In reply to this post by Martin-36
In article <[hidden email]> you wrote:
> I assume, it's tradition from the times, when only few people
> used apt-get and friends (and many years apt-get did not have
> signature support). A pointer to a "generic" description for
> people who don't want to/cannot use apt-get would be sufficient
> nowadays. Could someone from the security team correct me?

What I would much more prefer is a regularly signed list of
(non)announcements. This will make shure that anybody can verify if he is
not receiving alerts. If a entity is supressing updates to the list, you see
the missing signature. Kinda CRL for Packages.

Then the alerts can skip URLs and Checksums, since if there is somebody who
parses them (instead of apt) to be shure his mirrors are not a old copy can
use the new more reliable list.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Raphael Geissert
In reply to this post by Marcin Owsiany
Marcin Owsiany wrote:
>
> It (generating good and bad package with colliding sum) is actually
> easier than one might think. The reason is that you can embed any kind
> of binary blob inside an executable and make the executable behavior
> dependent on the "version" of the blob.

I retract what I said then. It looks much easier to do it now than when the
first collision was discovered.

>
> This is shown here for example:
> http://www.mscs.dal.ca/~selinger/md5collision/
> It was explained nicely in the "two PostScript files with identical MD5
> hash" demo, but I cannot find it now.
>

Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: md5 hashes used in security announcements

Carlos Carvalho-3
In reply to this post by philsf79 (Bugzilla)
Felipe Figueiredo ([hidden email]) wrote on 25 October 2008 07:09:
 >On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:
 >> On Sat, Oct 25, 2008 at 02:33, Kees Cook <[hidden email]> wrote:
 >> > [...]
 >> >
 >> > Additionally, it doesn't matter -- it's just the md5 in the email
 >> > announcement.  The Release and Packages files for the archive have SHA1
 >> > and SHA256.  The md5 from the announcement is almost not important,
 >> > IMO -- no one should download files individually from the announcement.
 >>
 >> If no one should download files individually from the announcement,
 >> there's no point in including that long list of package URLs and
 >> hashes in the announcements at all. It would be enough to say, "Please
 >> use apt or your favorite package manager to download the packages for
 >> your system."
 >
 >+1
 >
 >This is not the first time this subject "collides" in this list, but I don't
 >remember seeing a justification for such a long array of information I never
 >understoo the use for.
 >
 >While I see the point of having an independent source for confirmation in case
 >of panic, if the Release and Package files are to be trusted, it seems the
 >version of the package should be enough, right?
 >
 >Can anyone please explain why that long list of links and filenames is
 >interesting, or point to a link that does?

I use it to find out the package names to update, and sometimes the
version. Often a piece of software spreads through several packages,
or is packaged as a lib, or has some other change in the name.

Of course this doesn't apply to stable, where users should just use
apt-get upgrade. For unstable more caution is necessary.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]