Hi all, While the attack sequence presented is valid, in practice, given that there are a lot of "Debian based" distributions out there, wouldn't this be caught somewhere down the line?
Having said that, I fully agree that MD5 should no longer be recommended. On 01/24/2011 09:42 AM, René Mayrhofer wrote: > Am Sonntag, 23. Januar 2011, um 20:52:44 schrieb AK: >> Regarding the MD5 sum example and certain released PoCs: producing two >> "random" files with identical MD5 sums is one thing, introducing a >> meaningful backdoor (which means deterministic change) or ten in a >> Debian iso and generating an iso file which is similar in size to the >> original one and has an identical MD5 sum might be a tad more >> computationally difficult (this is my estimation), especially for >> something as short-lived as a Linux CD image. > With control over a single Debian package (read: when a Debian developer is > in on the attack), it could be easily done including plausible deniability > for the involved developer: > > 1. Place a random (but large enough) binary blob into a binary installed by a > package. The binary blob in the Debian package as uploaded to the archive is > competely harmless and may just look odd (if it was detected, that is). > > 2. Create a second binary blob with a collision (but with harmful content). > This is fairly easy to do if the two blobs are similar save for a small, > known-to-collide part. > > 3. Wait for the uploaded package to appear in an ISO and the MD5 sums to be > created > > 4. Replace the binary blob, the MD5 sum still matches. > > 5. Give somebody the changed ISO.... > > So yes, MD5 should no longer be recommended. > > best regards, > Rene -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d3d5485.4050...@gmail.com
