[104880] in North American Network Operators' Group
RE: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (Fred Reimer)
Thu May 29 10:21:11 2008
Date: Thu, 29 May 2008 10:20:44 -0400
In-Reply-To: <20080529094259.51dc493e@yellowstone.machshav.com>
From: "Fred Reimer" <freimer@ctiusa.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
This is a multipart message in MIME format.
------=_NextPart_000_000A_01C8C175.A72AE600
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
This is not a crypto form, so we shouldn't get deep into the MD5 collision
debate, but I didn't say HOW there has been limited success. Sorry if the
wording of my message was not clear and implied that all you would need were
the plaintext and the hash.
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
> -----Original Message-----
> From: Steven M. Bellovin [mailto:smb@cs.columbia.edu]
> Sent: Thursday, May 29, 2008 9:43 AM
> To: Fred Reimer
> Cc: Gadi Evron; nanog@nanog.org
> Subject: Re: IOS Rookit: the sky isn't falling (yet)
>
> On Thu, 29 May 2008 09:18:07 -0400
> "Fred Reimer" <freimer@ctiusa.com> wrote:
>
> > So the only easy way to attack this is the MD5 hash. We have a know
> > plaintext (the IOS code) and the hash. It is not trivial to be able
> > to make changes in the code and maintain the same hash value, but
> > there has been at least limited success in doing so.
>
> No there has not. There has been considerable success at creating
> *collisions*; if you don't have a collaborator inside Cisco's build
> team, that does you no good in this case. There has been *no* success
> at preimage attacks, which is what we're talking about here. (Aside:
> I'm on record as saying I wouldn't be surprised if preimage attacks
> were developed soon by the cryptanalytic community, since people are
> paying so much more attention to hash functions now, but that hasn't
> happened yet.)
>
> If you do have a collaborator, there is a conceivable attack. Use the
> collision attack -- that is, the ability to simultaneously produce two
> files with the same hash -- to generate a genuine IOS image that is
> nevertheless susceptible to being replaced by a corrupted one. It's a
> delicate process, though, since even a 1-bit change will completely
> change the hash output and ruin the collision. You're much better off
> having your collaborator simply install a back door for you -- and it
> almost certainly won't be found. See
> http://www.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-136.html or
> Chapter 8 of http://zesty.ca/pubs/yee-phd.pdf
>
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
------=_NextPart_000_000A_01C8C175.A72AE600
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII0jCCAlow
ggHDoAMCAQICEE/N8u+Cjf1akAnPH3Rf2m8wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDEyMjIxMjcyN1oXDTA5MDEyMTIxMjcy
N1owRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSZnJl
aW1lckBjdGl1c2EuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFAAtjFvwayIA70SOY
SunlDptyQhb1DviV+LHKOcX5MadLk2NANpODodUvSUb2AgwAqOkCv7cEEMVTAtYaupWbqtyTSTC8
/T8+mmKwBFgci1PmQrkfE30vneHVuylH2n/lKE4vbLXDFKpcIvqSE8SkgAxQFF2+npog2Uxase9t
6QIDAQABoy8wLTAdBgNVHREEFjAUgRJmcmVpbWVyQGN0aXVzYS5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQAHcmBSgreS/FopWMmY+jGgR8IMk07AxNIyvszC1+EqT5GN8CB+BOrr
ePcfIajM/1s/jVJhl7GN/wbKx39vcRFLdTMWfYwRWXJfJFk9C7NBp5QmpUaVxi/q0BFTC9l25BnB
13sv24vIsjSCGif979xFZpwEdP+UZ4U9xfqG+Ps32jCCAy0wggKWoAMCAQICAQAwDQYJKoZIhvcN
AQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh
cGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBD
QTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05NjAxMDEw
MDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYD
VQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19SwlGRbcelH2AxRtupykbCEXn0t
DY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCjh3j2+ZSG
Xq3qwF5269kUo11uenwMpUtVfwYZKX+emibVars4JAhqmMex2qOYkf152+VaxBy5AgMBAAGjEzAR
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk749ZalZ2IqpPBNEWDQb41g
WGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1DSjoAp3k
mv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM3VGEa+T40c53ooEwggM/MIIC
qKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgw
JgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUg
UGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRo
YXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSm
PFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnw
K4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e2
0TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDig
NqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0G
CSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u
9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIC+DCCAvQCAQEwdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEE/N8u+Cjf1akAnPH3Rf2m8wCQYFKw4DAhoF
AKCCAdgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwNTI5MTQy
MDQ0WjAjBgkqhkiG9w0BCQQxFgQURyhH/JNInOwswPiQX2TRzgXbk70wZwYJKoZIhvcNAQkPMVow
WDAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI
KoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkG
A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBPzfLvgo39WpAJzx90X9pvMIGH
BgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5n
IENBAhBPzfLvgo39WpAJzx90X9pvMA0GCSqGSIb3DQEBAQUABIGAipxhQnL2CEnYN1FoTSzdbyb0
45JpQiFaBGhCHyImuTxLAh77pr60/jQOg9p7Axie6zpxK9YEHa1/ecxM8T+tT7Ehm/ZZYwGiWtdP
/RBKDX61BJniFAhwo8BC6/58O+fMzhURVp9NBqB9X2rI5cGj4B7GuYjjI9pcmP27OyTMXYoAAAAA
AAA=
------=_NextPart_000_000A_01C8C175.A72AE600--
