[arch-general] Packages Verified with MD5
Никола Вукосављевић
hauzer at gmx.com
Sun Jan 12 14:02:00 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12.1.2014 19:29, Taylor Hornby wrote:
> On 01/12/2014 10:11 AM, Mark Lee wrote:
>> Perhaps I'm not strong enough in mathematics but I'd like to know
>> how possible md5 collisions can be weaponized. From what I see,
>> the idea would be to modify a binary such that it contains
>> malicious code (without changing the md5sum). Since most security
>> packages contain a number of compilation tests and md5 hashes
>> vary significantly with slight modifications, I'd like to know
>> how these collisions can be used to hijack a system. If one has
>> to build a binary that doesn't even encompass the functionality
>> of the binary it's trying to mimic, wouldn't that severely
>> decrease the effectiveness of a hash collision?
>
> The problem with MD5 is that it's possible to find two different
> messages A and B such that MD5(A) = MD5(B). The birthday attack
> [1] makes it possible to find collisions for 128-bit hashes (like
> MD5) in about 2^64 operations, but there are MD5-specific attacks
> that make it even easier for MD5. So... it takes a bit of time to
> find a collision, but not too much time. It can be done in about a
> day with PS3's [2].
>
> For my explanation, I'll ignore the MD5-specific attacks and just
> use the birthday attack since it's easier to understand.
>
> The attacker starts out with two files:
>
> 1. The official copy of TrueCrypt.
>
> 2. A malicious copy of TrueCrypt.
>
> The malicious change would be something simple. For example, they
> could find where the master encryption key is copied into a
> buffer:
>
> ... MOV [master_key + ECX], EAX // EAX holds master key bits
> ...
>
> And change it so that it's always zero:
>
> ... MOV [master_key + ECX], 0 // Now the master key is set to
> zero ...
>
> Only one instruction is different, but now TrueCrypt encrypts
> everything with a null key.
>
> From these two copies copies of TrueCrypt, they generate 2^64
> variants of each. They can do this by re-ordering instructions,
> changing which registers are used for which variables, re-ordering
> ELF segments, or just appending random strings to the file (you can
> append stuff to an ELF binary and it will still run fine).
>
> Now the attacker has:
>
> 1. 2^64 files that are different, but behave exactly like the
> non-malicious official copy of TrueCrypt.
>
> 2. 2^64 files that are different, but behave exactly like the
> malicious copy of TrueCrypt (that uses zero keys or whatever).
>
> If MD5 was a good hash function, each of the files would hash to a
> random 128-bit value. You should now be able to see that at least
> one file from the "non-malicious" set of files probably has the
> same MD5 hash as one of the files from the "malicious" set of
> files.
>
> There are 2^64 * 2^64 = 2^128 ways of pairing a file from the
> non-malicious pile with one from the malicious pile. The chance of
> any one pair colliding is 1 in 2^128, so there's a good chance that
> at least one of the pairs collide (it's not exactly 100% since the
> pairs are not mutually independent).
>
> To find the collision quickly, the attacker can just sort one of
> the sets of files by hash value, then for each file in the other
> set, use a binary search to see if any file has the same hash.
> Ignoring log(n) factors, that would take on the order of 2^64
> operations.
>
> So... Now the attacker has two files with the same MD5 hash. One
> that behaves like the official copy of TrueCrypt, and another that
> uses null keys.
>
> So, they give the *good* copy to the package maintainer, who
> laboriously checks that it's not backdoored (as if that ever
> happens). The package maintainer thinks everything is fine, since
> it behaves exactly like TrueCrypt and there's nothing fishy about
> the file (they probably won't notice some instructions being
> reordered). The file might even be the same as the one from the
> TrueCrypt website, if the attacker is collaborating with the
> TrueCrypt developers.
>
> The package maintainer thinks everything is good, so they hard-code
> the MD5 hash of their good copy into the PKGBUILD.
>
> Now, when most users install TrueCrypt, they will download the
> *good* copy, check the MD5 hash, it will match, and everything will
> be good. However, when the adversary sees that his target (e.g. a
> terrorist, or activist/journalist living in a non-free country) is
> downloading TrueCrypt, they will silently replace the file with
> with the *bad* copy. When the MD5 gets checked, it will match, and
> the user will be encrypting their files with null keys.
>
> In total, it took the attacker on the order of 2^66 operations to
> find the colliding files. You'd need a good budget (like the NSA's,
> or a large company's) to do that, but if you take advantage of the
> MD5-specific attacks too, you can do it for much cheaper.
>
> Of course, this doesn't just apply to TrueCrypt, it could be
> applied to any other software that's checked only with an MD5 hash.
> To backdoor a web server, for example, you could change a constant
> used in array index bounds checking to introduce a buffer overflow
> vulnerability.
>
> [1] https://en.wikipedia.org/wiki/Birthday_attack
>
> [2] http://www.win.tue.nl/hashclash/rogue-ca/
>
Good stuff. Thanks for your time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJS0uaoAAoJEB1x37R9kdwnoDwQAMGT20QaQBwbT5V14F+aGTwk
lQT8t0ggUXQxyJ1Lhvvqo9fG4CDBFwSl/h/VncVQE3IW3Aaz/EfJ72fuggTbLfp6
UXpDWgGe5kFSyDD9Sk6NEZc+FHZRPTWjpOu/gV4dg6qGqxOrg4RZkgizJkWt5Lfm
PGf4EYSHwC5BR/o/WLHdhJzQHEIYTLmBIIPIUq2InBOQTLcA+gyVcoMY/jMdgN8D
ytiN9gE5jefozjDkMNp1W+EVabYpIG3rQJdgGmahBXmWFtV765gsU1fqwU7SVS9d
nJQRFEIraJDeaplhxEdrCa0205EsTKlAXgqZRLqvYOq/v2afVagvNwpwJvu5A68f
TIVWNcWMcZOdn+1Dk4nuBMF8BJAtmppD+CNiaDMm+hMS7Hy9Q9R1chByij5x0mVB
brAgVRELa5gvR5m0tSxJxJwyLxy9J3vQTtDFT6JVw8z3AQH/HZihgsxp9ANzn6j+
A3T5B8bqOXc2lkgGh84tuqnl/Gjm9+uaPIKnxf34Q78WMmX+XoPHiM+O8yTdl8/f
k61UWSl0KfRsZ9+lnbDbFKitP/ssUo4eB4uqGJIHrql+eKVuVn8602c8HyrssDG1
kvRWIEgp5vRgJ/s+dFKO7RhHordMbhJFwkftfxY0dRmlfeRnkdQKMaUyEB4GVVKV
o1MN29AEKsfCTPlEbjlb
=4jUR
-----END PGP SIGNATURE-----
More information about the arch-general
mailing list