Gentoo Archives: gentoo-scm

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-scm@l.g.o
Subject: Preimage attack against Git/RSBAC commit signing Was: [gentoo-scm] Git gpg commit signing
Date: Fri, 02 Sep 2011 22:51:59
Message-Id: robbat2-20110902T224533-103274792Z@orbis-terrarum.net
In Reply to: [gentoo-scm] Git gpg commit signing by Alexey Shvetsov
1 On Sat, Sep 03, 2011 at 01:41:09AM +0300, Alexey Shvetsov wrote:
2 > Hi all!
3 >
4 > Seems rsbac alive again and its people created a repo with git gpg
5 > related things [1]
6 >
7 > [1] http://git.rsbac.org/cgi-bin/gitweb.cgi?p=git-gpg.git;a=summary
8 A strongly related discussion was had on IRC last night, and I see that
9 this RSBAC project falls vulnerable to the exact same attack that I
10 described.
11
12 I'll include it here for good measure.
13 1. Many months before the visible part of the attack, the attacker
14 constructs a preimage attack, probably in some file that includes
15 binary junk padding.
16 1.1 The pre-image attack has:
17 M = malicious code
18 S = safe code
19 P1 = padding #1
20 P2 = padding #2
21 SHA1(M | P1) == SHA1(S | P2).
22 (M | P1) and S | P2 are used as blobs.
23 1.2. The attack controls all 4 parts, pre-image attacks against SHA1
24 have been well-described in papers since 2006.
25 2. Attacker compromises the Git service.
26 2.1. Getting into the system
27 2.2. Replace the safe blob with the malicious blob.
28 3. Profit.
29
30 The above attack will NOT be detected by the RSBAC commit signing.
31
32 --
33 Robin Hugh Johnson
34 Gentoo Linux: Developer, Trustee & Infrastructure Lead
35 E-Mail : robbat2@g.o
36 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85