Gentoo Archives: gentoo-scm

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-scm@l.g.o
Subject: Preimage attack against Git/RSBAC commit signing Was: [gentoo-scm] Git gpg commit signing
Date: Fri, 02 Sep 2011 22:51:59
In Reply to: [gentoo-scm] Git gpg commit signing by Alexey Shvetsov
On Sat, Sep 03, 2011 at 01:41:09AM +0300, Alexey Shvetsov wrote:
> Hi all! > > Seems rsbac alive again and its people created a repo with git gpg > related things [1] > > [1];a=summary
A strongly related discussion was had on IRC last night, and I see that this RSBAC project falls vulnerable to the exact same attack that I described. I'll include it here for good measure. 1. Many months before the visible part of the attack, the attacker constructs a preimage attack, probably in some file that includes binary junk padding. 1.1 The pre-image attack has: M = malicious code S = safe code P1 = padding #1 P2 = padding #2 SHA1(M | P1) == SHA1(S | P2). (M | P1) and S | P2 are used as blobs. 1.2. The attack controls all 4 parts, pre-image attacks against SHA1 have been well-described in papers since 2006. 2. Attacker compromises the Git service. 2.1. Getting into the system 2.2. Replace the safe blob with the malicious blob. 3. Profit. The above attack will NOT be detected by the RSBAC commit signing. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@g.o GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85