[104798] in North American Network Operators' Group
Re: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue May 27 15:08:35 2008
To: michael.dillon@bt.com
In-Reply-To: Your message of "Tue, 27 May 2008 19:49:21 BST."
<D03E4899F2FB3D4C8464E8C76B3B68B00295E636@E03MVC4-UKBR.domain1.systemhost.net>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 27 May 2008 15:07:26 -0400
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1211915246_3133P
Content-Type: text/plain; charset=us-ascii
On Tue, 27 May 2008 19:49:21 BST, michael.dillon@bt.com said:
> > Like MD5 File Validation? - "MD5 values are now made=20
> > available on Cisco.com for all Cisco IOS software images for=20
> > comparison against local system image values."
>
> I would expect a real exploit to try to match Cisco's
> MD5 hashes.
Although there is a known attack against MD5 that will generate two plaintexts
with the same (unpredictable) hash, there is as yet no known way significantly
better than brute force to generate a file which hashes to a given hash. On the
other hand, there have been multiple cases where vandals have replaced a file
on a download site, and updated the webpage to reflect the new MD5 hash.
If you were an attacker, which would you go with:
1) The brute-force attack which will require hundreds of thousands of CPU-years.
2) The super-secret attack that causes a collision to a given hash that none
of the crypto experts know about yet.
3) 'md5sum trojan_ios.bin' and cut-n-paste that into the web page.
> By all means, check those hashes after you download
> them but I would suggest calculating a hash using an alternate
> algorithm for later checking.
You missed the point - if the *FILE* you downloaded from a webpage is suspect,
why do you trust the MD5sum that *the same webpage* says is correct?
--==_Exmh_1211915246_3133P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFIPFvucC3lWbTT17ARAsznAJ4s/RQtg64YKPn/9MQ7Bg0QWTkhRACg0cgE
UfdF92oPhggsnvsBaqIJxkc=
=K2bw
-----END PGP SIGNATURE-----
--==_Exmh_1211915246_3133P--
