|
»
Securely downloading Ubuntu
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
Securely downloading Ubuntu
by Chris Lamb-3
::
Rate this Message:
Hi,
Is it actually possible to securely download Ubuntu? A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg [0]. However, the MD5 digest algorithm is utterly broken and the key is signed by just a handful of people anyway[1], only two of which I (visually) recognise as having anything to do with the Ubuntu project. If the MD5SUMS files are purely for validating downloads[3], could the completely useless/misleading GPG files be dropped? /Lamby [0] http://cdimage.ubuntu.com/releases/7.10/release/ [1] http://preview.tinyurl.com/2llzqr [2] https://help.ubuntu.com/community/VerifyIsoHowto -- Chris Lamb, UK chris@... GPG: 0x634F9A20 -- ubuntu-devel mailing list ubuntu-devel@... Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
Re: Securely downloading Ubuntu
by Lars Wirzenius-4
::
Rate this Message:
On ti, 2008-01-22 at 19:32 +0000, Chris Lamb wrote:
> However, the MD5 digest algorithm is utterly broken How broken is it? Can one reasonably expect that a well-provisioned attacker can create an MD5SUMS file that has the wrong content but still matches the GnuPG signature? (I'm all in favor of moving to SHA256 or whatever is considered best practice these days. I've just not heard that MD5 is really as broken as I think Chris suggests here.) -- ubuntu-devel mailing list ubuntu-devel@... Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
Re: Securely downloading Ubuntu
by Neal McBurnett
::
Rate this Message:
On Mon, Jan 28, 2008 at 04:44:05PM +0200, Lars Wirzenius wrote:
> On ti, 2008-01-22 at 19:32 +0000, Chris Lamb wrote: > > However, the MD5 digest algorithm is utterly broken > > How broken is it? Can one reasonably expect that a well-provisioned > attacker can create an MD5SUMS file that has the wrong content but still > matches the GnuPG signature? The current state of the art allows people to easily create two files with the same MD5 (a "hash collision"). But no one has claimed to be able to create a file that matches the MD5 of a file that someone else created (a "preimage attack"): http://en.wikipedia.org/wiki/MD5 http://en.wikipedia.org/wiki/Preimage_attack To take advantage of the existing vulnerability (hash collision), the attacker would have to be also be able to modify the ISO that is published on the Ubuntu sites. If they can do that, we have more important things to worry about. I think the main risk for Ubuntu would be the latter kind of attack, if it is ever developed. Cryptographers are nervous about not only MD5, but also all the functions in the same class, which includes SHA-1 and SHA-256. The latter ones use more bits and thus have more life in them than MD5, but the field is in a lot of turmoil. > (I'm all in favor of moving to SHA256 or whatever is considered best > practice these days. I've just not heard that MD5 is really as broken as > I think Chris suggests here.) One easy thing to do is to also publish sha256 sums of the CD images, so if MD5 preimage attacks are developed, that would help. I think we should do that now, and consider a hash function in a different class also (whirlpool?). Shipping more hash functions in the base install would help a lot in a crisis, so users have what they need to validate software updates. I guess coreutils has the md5 and sha families well covered, but again, something different like whirlpool could help a lot some day. There is at least one LGPL library which provides a uniform interface to a large number of hash algorithms: mhash (http://mhash.sourceforge.net/). And there is a python interface to it, but I don't see a package for it. On Tue, Jan 22, 2008 at 07:32:32PM +0000, Chris Lamb wrote: > Is it actually possible to securely download Ubuntu? > > A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg [0]. > However, the MD5 digest algorithm is utterly broken and the key is signed > by just a handful of people anyway[1], only two of which I (visually) > recognise as having anything to do with the Ubuntu project. Remember, anyone can sign a key on a public keyring, so most of those sigs are probably from "volunteers". But all the user needs is a trust path from their trusted keys to the key in question, and since it is signed by Ubuntu Archive Master Signing Key <ftpmaster@...> users should be able to have that. But the warning on the https://help.ubuntu.com/community/VerifyIsoHowto page is an issue: WARNING: This key is not certified with a trusted signature! That ftpmaster key is already on installed systems, right? I would think we could preinstall system keyrings and give instructions that would be based on that. Do we not ship the <cdimage@...> key? > If the MD5SUMS files are purely for validating downloads[3], could the > completely useless/misleading GPG files be dropped? They are far from useless - they are the only way to validate the hash information based on trust roots that are (or should be) on your system already. Neal McBurnett http://mcburnett.org/neal/ > /Lamby > > [0] http://cdimage.ubuntu.com/releases/7.10/release/ > [1] http://preview.tinyurl.com/2llzqr > [2] https://help.ubuntu.com/community/VerifyIsoHowto -- ubuntu-devel mailing list ubuntu-devel@... Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
Re: Securely downloading Ubuntu
by Matt Zimmerman-2
::
Rate this Message:
On Mon, Jan 28, 2008 at 09:28:48AM -0700, Neal McBurnett wrote:
> > (I'm all in favor of moving to SHA256 or whatever is considered best > > practice these days. I've just not heard that MD5 is really as broken as > > I think Chris suggests here.) > > One easy thing to do is to also publish sha256 sums of the CD > images, so if MD5 preimage attacks are developed, that would help. > > I think we should do that now, and consider a hash function in a > different class also (whirlpool?). > > Shipping more hash functions in the base install would help a lot in a > crisis, so users have what they need to validate software updates. > I guess coreutils has the md5 and sha families well covered, but > again, something different like whirlpool could help a lot some day. Perhaps we should publish detached signatures for each ISO rather than signing MD5SUMS? -- - mdz -- ubuntu-devel mailing list ubuntu-devel@... Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
|
|
|
Re: Securely downloading Ubuntu
by Colin Watson-2
::
Rate this Message:
On Tue, Jan 29, 2008 at 09:57:55AM +0000, Matt Zimmerman wrote:
> There are two reasons for checking the hashes: > > Authentication - the downloaded image is in fact the official one provided > by the Ubuntu project, unaltered > > Integrity - the downloaded image hasn't been randomly corrupted in transit > > (it happens that verifying authenticity ensures integrity as a side effect) > > Authentication, I believe, would be better served by signing the image > directly. This both avoids an attack on the intervening checksums in > MD5SUMS and provides a cryptographically stronger check. I believe the .gpg > format already supports multiple signatures with different algorithms, so > this would be reasonably future-proof. Signing a message generally actually amounts to taking some hash of it and signing that; you don't run expensive algorithms like RSA over the whole message. Since the MD5 hashes are useful to expose anyway, I don't see any cryptographic benefit in making GPG do this computation again (aside from the possibility that it would use a different hash, but then we could usefully expose the result of that hash too). See e.g. http://en.wikipedia.org/wiki/Digital_signature for a short discussion of why signatures are in fact implemented by signing a hash rather than the whole message. As Neal noted, MD5 hasn't yet had second-preimage attacks, so I am not concerned about practical attacks at this time. Publishing SHA256 hashes would be fairly reasonable; the only reason we have not yet done this is that the checksumming process is already the slowest part of the CD release process by some distance due to some inefficiencies in that process (i.e. the images are checksummed again rather than copying the existing checksums from the daily build), and I feel we should fix that first otherwise it makes release day even more painful. Cheers, -- Colin Watson [cjwatson@...] -- ubuntu-devel mailing list ubuntu-devel@... Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
Re: Securely downloading Ubuntu
by Colin Watson-2
::
Rate this Message:
On Mon, Jan 28, 2008 at 09:28:48AM -0700, Neal McBurnett wrote:
> On Mon, Jan 28, 2008 at 04:44:05PM +0200, Lars Wirzenius wrote: > > On ti, 2008-01-22 at 19:32 +0000, Chris Lamb wrote: > > > However, the MD5 digest algorithm is utterly broken > > > > How broken is it? Can one reasonably expect that a well-provisioned > > attacker can create an MD5SUMS file that has the wrong content but still > > matches the GnuPG signature? > > The current state of the art allows people to easily create two files > with the same MD5 (a "hash collision"). But no one has claimed to be > able to create a file that matches the MD5 of a file that someone else > created (a "preimage attack"): > > http://en.wikipedia.org/wiki/MD5 > > http://en.wikipedia.org/wiki/Preimage_attack > > To take advantage of the existing vulnerability (hash collision), the > attacker would have to be also be able to modify the ISO that is > published on the Ubuntu sites. If they can do that, we have more > important things to worry about. They could also set up a malicious Ubuntu mirror, and perhaps use attacks such as DNS poisoning to substitute for a prominent mirror. However, the presence of GPG signatures on the MD5SUMS files means that conscientious users who verify the signatures are safe from hash collision attacks, and an attacker would require a second-preimage attack on MD5 in order to produce a compromised image. (Plus, of course, they would need a second-preimage attack that is sufficiently flexible to produce a valid working ISO with malicious contents, which probably makes it a couple of orders of magnitude harder.) > I think the main risk for Ubuntu would be the latter kind of attack, > if it is ever developed. Cryptographers are nervous about not only > MD5, but also all the functions in the same class, which includes > SHA-1 and SHA-256. The latter ones use more bits and thus have more > life in them than MD5, but the field is in a lot of turmoil. Yes. Also note that combining SHA1 or SHA256 with MD5 does not give you anything like the sum of the difficulty of breaking both independently; on the contrary, an attack on MD5 gets you quite some distance towards breaking SHA* as well. It's been a while since I did the maths, but IIRC MD5 + SHA1 only provides six bits of security over SHA1 alone. The reason to continue providing MD5 is that the tools to verify them are better-deployed than those for better hash algorithms, so they continue to be significantly better than nothing. > > (I'm all in favor of moving to SHA256 or whatever is considered best > > practice these days. I've just not heard that MD5 is really as broken as > > I think Chris suggests here.) > > One easy thing to do is to also publish sha256 sums of the CD > images, so if MD5 preimage attacks are developed, that would help. See my other mail in response to Matt on the subject. (In short: I agree, but there are some infrastructural fixes that need to happen first.) > I think we should do that now, and consider a hash function in a > different class also (whirlpool?). Do you know what the state of cryptanalytic research is on Whirlpool? My concern is that the MD5/SHA family, for all its faults, has been extremely extensively cryptanalysed, and at least we know where we stand, while the other families are still relatively unknown. > On Tue, Jan 22, 2008 at 07:32:32PM +0000, Chris Lamb wrote: > > Is it actually possible to securely download Ubuntu? > > > > A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg [0]. > > However, the MD5 digest algorithm is utterly broken and the key is signed > > by just a handful of people anyway[1], only two of which I (visually) > > recognise as having anything to do with the Ubuntu project. > > Remember, anyone can sign a key on a public keyring, so most of those > sigs are probably from "volunteers". While of course there's no reason you should believe me from this mail alone, although https://launchpad.net/~ubuntu-cdimage/+members may help, the only relevant signature (i.e. one from an administrator of the CD image build system) on the cdimage key 1024D/FBB75451 right now is mine. However, that should be good enough for most people who care about GPG as my key is in the top 100 or so in the worldwide strong set, so almost anyone who's signed keys outside an isolated group should have a trust path to the cdimage key. > But all the user needs is a trust path from their trusted keys to the > key in question, and since it is signed by > > Ubuntu Archive Master Signing Key <ftpmaster@...> > > users should be able to have that. (Also signed by me. That key has special arrangements to defend against its compromise, and is never kept on a network-connected system.) > But the warning on the > https://help.ubuntu.com/community/VerifyIsoHowto page is an issue: > > WARNING: This key is not certified with a trusted signature! > > That ftpmaster key is already on installed systems, right? I would > think we could preinstall system keyrings and give instructions that > would be based on that. Do we not ship the <cdimage@...> key? It's in the ubuntu-keyring package, which is installed by default, although it's not imported into users' keyrings by default (though it would be easy enough to provide instructions on how to do so): $ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --list-keys gpg: please do a --check-trustdb /usr/share/keyrings/ubuntu-archive-keyring.gpg ---------------------------------------------- pub 1024D/437D05B5 2004-09-12 uid Ubuntu Archive Automatic Signing Key <ftpmaster@...> sub 2048g/79164387 2004-09-12 pub 1024D/FBB75451 2004-12-30 uid Ubuntu CD Image Automatic Signing Key <cdimage@...> $ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --list-keys gpg: please do a --check-trustdb /usr/share/keyrings/ubuntu-master-keyring.gpg --------------------------------------------- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key <ftpmaster@...> Cheers, -- Colin Watson [cjwatson@...] -- ubuntu-devel mailing list ubuntu-devel@... Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
Re: Securely downloading Ubuntu
by Matt Zimmerman-2
::
Rate this Message:
On Tue, Jan 29, 2008 at 12:00:56PM +0000, Colin Watson wrote:
> Signing a message generally actually amounts to taking some hash of it > and signing that; you don't run expensive algorithms like RSA over the > whole message. Since the MD5 hashes are useful to expose anyway, I don't > see any cryptographic benefit in making GPG do this computation again > (aside from the possibility that it would use a different hash, but then > we could usefully expose the result of that hash too). > > See e.g. http://en.wikipedia.org/wiki/Digital_signature for a short > discussion of why signatures are in fact implemented by signing a hash > rather than the whole message. I suppose the main benefit would be in having a painless transition to newer hash algorithms as GnuPG is updated. If we want to solve this once and for all (and I think we do), then as Neal points out, we need to include support for multiple hash algorithms, rather than merely switching from MD5 to SHA-x. This means either generating multiple files in the existing format, or requiring some other tool which can interpret the checksum file and verify the images. GnuPG, as a widely available, standard tool which handles this gracefully, seemed like a good choice. > As Neal noted, MD5 hasn't yet had second-preimage attacks, so I am not > concerned about practical attacks at this time. Publishing SHA256 hashes > would be fairly reasonable; the only reason we have not yet done this is > that the checksumming process is already the slowest part of the CD > release process by some distance due to some inefficiencies in that > process (i.e. the images are checksummed again rather than copying the > existing checksums from the daily build), and I feel we should fix that > first otherwise it makes release day even more painful. It would be useful if we could do these in a single pass, but if we can't, then I guess it makes sense to continue to sign the hashes instead. We'll have to do this over again at some point, though. -- - mdz -- ubuntu-devel mailing list ubuntu-devel@... Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
signature.asc (196 bytes) 
| Free embeddable forum powered by Nabble | Forum Help |
