Re: md5 hashes used in security announcements
Felipe Figueiredo ([EMAIL PROTECTED]) wrote on 25 October 2008 07:09: >On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote: >> On Sat, Oct 25, 2008 at 02:33, Kees Cook <[EMAIL PROTECTED]> wrote: >> > [...] >> > >> > Additionally, it doesn't matter -- it's just the md5 in the email >> > announcement. The Release and Packages files for the archive have SHA1 >> > and SHA256. The md5 from the announcement is almost not important, >> > IMO -- no one should download files individually from the announcement. >> >> If no one should download files individually from the announcement, >> there's no point in including that long list of package URLs and >> hashes in the announcements at all. It would be enough to say, "Please >> use apt or your favorite package manager to download the packages for >> your system." > >+1 > >This is not the first time this subject "collides" in this list, but I don't >remember seeing a justification for such a long array of information I never >understoo the use for. > >While I see the point of having an independent source for confirmation in >case >of panic, if the Release and Package files are to be trusted, it seems the >version of the package should be enough, right? > >Can anyone please explain why that long list of links and filenames is >interesting, or point to a link that does? I use it to find out the package names to update, and sometimes the version. Often a piece of software spreads through several packages, or is packaged as a lib, or has some other change in the name. Of course this doesn't apply to stable, where users should just use apt-get upgrade. For unstable more caution is necessary. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
Marcin Owsiany wrote: > > It (generating good and bad package with colliding sum) is actually > easier than one might think. The reason is that you can embed any kind > of binary blob inside an executable and make the executable behavior > dependent on the "version" of the blob. I retract what I said then. It looks much easier to do it now than when the first collision was discovered. > > This is shown here for example: > http://www.mscs.dal.ca/~selinger/md5collision/ > It was explained nicely in the "two PostScript files with identical MD5 > hash" demo, but I cannot find it now. > Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
In article <[EMAIL PROTECTED]> you wrote: > I assume, it's tradition from the times, when only few people > used apt-get and friends (and many years apt-get did not have > signature support). A pointer to a "generic" description for > people who don't want to/cannot use apt-get would be sufficient > nowadays. Could someone from the security team correct me? What I would much more prefer is a regularly signed list of (non)announcements. This will make shure that anybody can verify if he is not receiving alerts. If a entity is supressing updates to the list, you see the missing signature. Kinda CRL for Packages. Then the alerts can skip URLs and Checksums, since if there is somebody who parses them (instead of apt) to be shure his mirrors are not a old copy can use the new more reliable list. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
* Sjors Gielen: > Kees Cook wrote: >> Additionally, it doesn't matter -- it's just the md5 in the email >> announcement. The Release and Packages files for the archive have SHA1 >> and SHA256. The md5 from the announcement is almost not important, >> IMO -- no one should download files individually from the announcement. > > So if the Release and Packages files are using SHA1 and SHA256, why > aren't the announcements? Historical reasons, from the days where you got Debian on a set of CD-ROMs and repositories were not cryptographically signed. If we change the format of the announcements, we'd rather drop the hashes altogether (and the URLs). The hashes are somewhat hard to verify anyway because you need to follow the Debian project pretty closely to figure out if the signature on the advisory is genuine because it's created by individual developers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Saturday 25 October 2008 09:28:02 W. Martin Borgert wrote: > On 2008-10-25 07:09, Felipe Figueiredo wrote: > > Can anyone please explain why that long list of links and filenames is > > interesting, or point to a link that does? > > I assume, it's tradition from the times, when only few people > used apt-get and friends (and many years apt-get did not have > signature support). A pointer to a "generic" description for > people who don't want to/cannot use apt-get would be sufficient > nowadays. Could someone from the security team correct me? Well, if this is ever going to change, I guess the release of lenny would be a nice time to do so. Any words, sec team? regards FF -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote: > Bas Steendijk wrote: > > > > 2 files with a colliding hash can only be made by someone who can > > influence the creation of the file (thus, someone inside debian). he can > > make a "good" and a "bad" version of a package with the same MD5, and > > the same size. for someone to make a file with the same hash without > > influence in the creation of the original file would be a preimage attack. > > Yeah, but remember that the "bad" version must also be a valid .deb file with > something inside that does work; otherwise you may just be able to get some > random stuff with the same file size and md5 sum but without any use. > > P.S. I'm not saying it is impossible (I actually don't know, but let's assume > that it is), but chances aren't high. It (generating good and bad package with colliding sum) is actually easier than one might think. The reason is that you can embed any kind of binary blob inside an executable and make the executable behavior dependent on the "version" of the blob. This is shown here for example: http://www.mscs.dal.ca/~selinger/md5collision/ It was explained nicely in the "two PostScript files with identical MD5 hash" demo, but I cannot find it now. -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On 2008-10-25 07:09, Felipe Figueiredo wrote: > Can anyone please explain why that long list of links and filenames is > interesting, or point to a link that does? I assume, it's tradition from the times, when only few people used apt-get and friends (and many years apt-get did not have signature support). A pointer to a "generic" description for people who don't want to/cannot use apt-get would be sufficient nowadays. Could someone from the security team correct me? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote: > On Sat, Oct 25, 2008 at 02:33, Kees Cook <[EMAIL PROTECTED]> wrote: > > [...] > > > > Additionally, it doesn't matter -- it's just the md5 in the email > > announcement. The Release and Packages files for the archive have SHA1 > > and SHA256. The md5 from the announcement is almost not important, > > IMO -- no one should download files individually from the announcement. > > If no one should download files individually from the announcement, > there's no point in including that long list of package URLs and > hashes in the announcements at all. It would be enough to say, "Please > use apt or your favorite package manager to download the packages for > your system." +1 This is not the first time this subject "collides" in this list, but I don't remember seeing a justification for such a long array of information I never understoo the use for. While I see the point of having an independent source for confirmation in case of panic, if the Release and Package files are to be trusted, it seems the version of the package should be enough, right? Can anyone please explain why that long list of links and filenames is interesting, or point to a link that does? best regards FF -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Sat, Oct 25, 2008 at 02:33, Kees Cook <[EMAIL PROTECTED]> wrote: > [...] > > Additionally, it doesn't matter -- it's just the md5 in the email > announcement. The Release and Packages files for the archive have SHA1 > and SHA256. The md5 from the announcement is almost not important, > IMO -- no one should download files individually from the announcement. If no one should download files individually from the announcement, there's no point in including that long list of package URLs and hashes in the announcements at all. It would be enough to say, "Please use apt or your favorite package manager to download the packages for your system." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Fri, Oct 24, 2008 at 10:35:52PM +0200, Sjors Gielen wrote: > Kees Cook wrote: > > Additionally, it doesn't matter -- it's just the md5 in the email > > announcement. The Release and Packages files for the archive have SHA1 > > and SHA256. The md5 from the announcement is almost not important, > > IMO -- no one should download files individually from the announcement. > > So if the Release and Packages files are using SHA1 and SHA256, why > aren't the announcements? That's up to the people that control the template, but I would assume because the template is based off of the changes files which until very recently, only had md5s. And besides, why make the announcement emails even longer? :) -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
* Raphael Geissert: > Yeah, but remember that the "bad" version must also be a valid .deb file with > something inside that does work; otherwise you may just be able to get some > random stuff with the same file size and md5 sum but without any use. These days, you can generate meaningful collisions, perhaps not even obviously part of an evil twin pair, provided the plaintexts share a common prefix. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
Kees Cook wrote: > Additionally, it doesn't matter -- it's just the md5 in the email > announcement. The Release and Packages files for the archive have SHA1 > and SHA256. The md5 from the announcement is almost not important, > IMO -- no one should download files individually from the announcement. So if the Release and Packages files are using SHA1 and SHA256, why aren't the announcements? Sjors -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote: > Bas Steendijk wrote: > > > > 2 files with a colliding hash can only be made by someone who can > > influence the creation of the file (thus, someone inside debian). he can > > make a "good" and a "bad" version of a package with the same MD5, and > > the same size. for someone to make a file with the same hash without > > influence in the creation of the original file would be a preimage attack. > > Yeah, but remember that the "bad" version must also be a valid .deb file with > something inside that does work; otherwise you may just be able to get some > random stuff with the same file size and md5 sum but without any use. Additionally, it doesn't matter -- it's just the md5 in the email announcement. The Release and Packages files for the archive have SHA1 and SHA256. The md5 from the announcement is almost not important, IMO -- no one should download files individually from the announcement. -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
Bas Steendijk wrote: > > 2 files with a colliding hash can only be made by someone who can > influence the creation of the file (thus, someone inside debian). he can > make a "good" and a "bad" version of a package with the same MD5, and > the same size. for someone to make a file with the same hash without > influence in the creation of the original file would be a preimage attack. Yeah, but remember that the "bad" version must also be a valid .deb file with something inside that does work; otherwise you may just be able to get some random stuff with the same file size and md5 sum but without any use. P.S. I'm not saying it is impossible (I actually don't know, but let's assume that it is), but chances aren't high. Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
Florian Weimer wrote: * Bas Steendijk: i have sent an email a while ago about the security implications of using MD5 hashes in the security announcements (DSA), but i didn't get any reply at all from this. has it been overlooked? I don't know to which address you sent the address, so I don't know if it's been overlooked. My general take on this issue is that for this particular purpose, we will stop using MD5 when someone comes up with an actual collision for a hash published in a DSA. It's not that these hashes are used for automated processing. We can't do anything about the old DSAs containing MD5 hashes anyway. 2 files with a colliding hash can only be made by someone who can influence the creation of the file (thus, someone inside debian). he can make a "good" and a "bad" version of a package with the same MD5, and the same size. for someone to make a file with the same hash without influence in the creation of the original file would be a preimage attack. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
Florian Weimer <[EMAIL PROTECTED]> (24/10/2008): > I don't know to which address you sent the address, so I don't know if > it's been overlooked. [EMAIL PROTECTED] aka. http://lists.debian.org/debian-security/2008/10/msg00030.html Mraw, KiBi. signature.asc Description: Digital signature
Re: md5 hashes used in security announcements
* Bas Steendijk: > i have sent an email a while ago about the security implications of > using MD5 hashes in the security announcements (DSA), but i didn't get > any reply at all from this. has it been overlooked? I don't know to which address you sent the address, so I don't know if it's been overlooked. My general take on this issue is that for this particular purpose, we will stop using MD5 when someone comes up with an actual collision for a hash published in a DSA. It's not that these hashes are used for automated processing. We can't do anything about the old DSAs containing MD5 hashes anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Fri, Oct 24, 2008 at 04:01:23PM +0200, Nico Golde wrote: > Hi Bas, > * Bas Steendijk <[EMAIL PROTECTED]> [2008-10-24 15:44]: > > i have sent an email a while ago about the security implications of using > > MD5 > > hashes in the security announcements (DSA), but i didn't get any reply at > > all > > from this. has it been overlooked? > > I guess not, it's just strange that you think this is not > known to us. Is there a bug number ? Regards, Paddy -- Segmentation fault (core dumped): .sig too big -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
Hi Bas, * Bas Steendijk <[EMAIL PROTECTED]> [2008-10-24 15:44]: > i have sent an email a while ago about the security implications of using MD5 > hashes in the security announcements (DSA), but i didn't get any reply at all > from this. has it been overlooked? I guess not, it's just strange that you think this is not known to us. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp74Kuz8cxIk.pgp Description: PGP signature
md5 hashes used in security announcements
i have sent an email a while ago about the security implications of using MD5 hashes in the security announcements (DSA), but i didn't get any reply at all from this. has it been overlooked? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]