1 |
On Sat, Sep 03, 2011 at 01:41:09AM +0300, Alexey Shvetsov wrote: |
2 |
> Hi all! |
3 |
> |
4 |
> Seems rsbac alive again and its people created a repo with git gpg |
5 |
> related things [1] |
6 |
> |
7 |
> [1] http://git.rsbac.org/cgi-bin/gitweb.cgi?p=git-gpg.git;a=summary |
8 |
A strongly related discussion was had on IRC last night, and I see that |
9 |
this RSBAC project falls vulnerable to the exact same attack that I |
10 |
described. |
11 |
|
12 |
I'll include it here for good measure. |
13 |
1. Many months before the visible part of the attack, the attacker |
14 |
constructs a preimage attack, probably in some file that includes |
15 |
binary junk padding. |
16 |
1.1 The pre-image attack has: |
17 |
M = malicious code |
18 |
S = safe code |
19 |
P1 = padding #1 |
20 |
P2 = padding #2 |
21 |
SHA1(M | P1) == SHA1(S | P2). |
22 |
(M | P1) and S | P2 are used as blobs. |
23 |
1.2. The attack controls all 4 parts, pre-image attacks against SHA1 |
24 |
have been well-described in papers since 2006. |
25 |
2. Attacker compromises the Git service. |
26 |
2.1. Getting into the system |
27 |
2.2. Replace the safe blob with the malicious blob. |
28 |
3. Profit. |
29 |
|
30 |
The above attack will NOT be detected by the RSBAC commit signing. |
31 |
|
32 |
-- |
33 |
Robin Hugh Johnson |
34 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
35 |
E-Mail : robbat2@g.o |
36 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |