[110360] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sun Jan 4 00:38:12 2009
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: Your message of "Sat, 03 Jan 2009 17:23:06 +0100."
<87ljts5pg5.fsf@mid.deneb.enyo.de>
From: Valdis.Kletnieks@vt.edu
Date: Sun, 04 Jan 2009 00:37:59 -0500
Cc: Skywing <Skywing@valhallalegends.com>, NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1231047479_3941P
Content-Type: text/plain; charset=us-ascii
On Sat, 03 Jan 2009 17:23:06 +0100, Florian Weimer said:
> Our rationale is that in order to carry out currently known attacks on
> MD5, you need to create a twin of documents, one evil and one
> harmless. In Debian's case, we prepare the data we sign on our
> trusted infrastructure. If someone can sneak in an evil twin due to a
> breach, more direct means of attack are available.
More to the point - there are known easy ways for an attacker to generate *two*
documents that have the same MD5 hash (the basis of this attack). However, the
attacker has no control over what the actual value of that MD5 hash is.
What's *not* still feasible is for an attacker to take Debian's data and the
already-generated MD5 hash, and create a second file that hashes to that
same already-known hash.
At that point, it's probably easier to just attack the trusted infrastructure
in an attempt to recover the GnuPG private key, and then just sign your
evil replacement package. There's 2 advantages to this attack:
1) It doesn't *matter* if they PGP-sign the file with the MD5 hashes or if
the file has SHA1 or SHA512 - the signature will look fine.
2) It's been proven doable to at least one major distro in the past few months.
--==_Exmh_1231047479_3941P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFJYEs3cC3lWbTT17ARAscgAKC8NR+3gBZGnYt+5m2glAEbCGmCQQCdE0nB
CIbPCK8JsTQTuTKBJgi4fBs=
=rlMw
-----END PGP SIGNATURE-----
--==_Exmh_1231047479_3941P--
