Hi, Am Mittwoch, 16. M�rz 2005 11:51 schrieb Karel Gardas: > On Wed, 16 Mar 2005, Peter Conrad wrote: > > Hi, > > > > On Wed, Mar 16, 2005 at 12:26:30PM +0600, Ivan Boldyrev wrote: > > > Tom Lord merges sexy patch. Even if he will re-sign patch, > > > MD5 sum in ./checksum will be same because *.patches.tar.gz is same. > > > > this is wrong. If Tom merges your patch, he will automatically create > > additional log entries in his own branch. This (among other things, like > > changed timestamps) will lead to a file with a different MD5 sum. > > I'm afraid the whole message is a bit different: hack the mirror, hack the > patch while keeping MD5 intack and let your attack to software X spread > thorough the world.
I understood Ivan's scenario like this: 1. attacker creates Patch-A (harmless) and Patch-B (evil) with identical checksums 2. attacker submits Patch-A to maintainer 3. maintainer integrates Patch-A into software, signing it 4. attacker hacks mirrors and replaces signed Patch-A with Patch-B To which I answered that step 3 will normally change the MD5 sum that's actually signed. Which means that replacing the patch will invalidate the signature. > I've just now looked at tla and baz and found that at least mirror on: > http://bazaar.canonical.com/archives/[EMAIL PROTECTED]/ uses also > SHA-1 hashes. Since SHA-1 is also considered weak these days, this > does not add that much security, but certainly at least something > before arch move to some more secure hash implementation. Combining different hashes in the signature should make attacks a lot more difficult, because an attacker would have to produce collisions for all hashes at the same time. Of course, *all* hashes must be validated when checking the signature, instead of validating only one of them. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany _______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
