2013/1/27, Jeffrey Walton <[email protected]>: > Hi Nicolás > > Just a few comments, with no good suggestions.... > >> 3. Project executables are signed by RSA-encrypting a MD5 hash of the >> file. > So, what it sounds like is somewhat like a signature, but using the > public key rather than private key.
No, it's using the private key to sign, of course. RSA_private_encrypt(md5(data)) to sign, RSA_public_decrypt(signature)==md5(data) to check the signature. > Perhaps it would be a good idea to move to PSS or Full Domain Hashing? > Full Domain Hashing was just being discussed on another list (in the > context of RSA signatures and OAEP). > http://www.cs.ucdavis.edu/~rogaway/papers/exact.pdf. Perhaps using a better signing method would help, but why? Is the current system broken, apart from triggering emdeepentaphobia? I don't think it's worth the incompatibility hassles. >> To break this you need a second-preimage attack. MD5 has known >> collision attacks that make it useless for anything needing >> collision-resistance, but the best known preimage attack brings the >> complexity from a 2^128 brute-force to 2^123 > We also have chosen prefix attacks. They were theoretical until Flame > appeared. Confer: > http://www.google.com/#hl=en&q=chosen+prefix+attack+md5. Chosen prefix attacks don't help you attack this. You don't get to append data to the legitimate executable. The legitimate file is immutable, you have to create a second malicious file with the same hash. You can create two files with the same hash, but you can't create a file with the same hash as an existing one that you can't modify. >> With current attacks and hardware, the Sun >> will turn into a red giant *long* before you can make a file that has >> the same MD5 hash as an existing BOINC science app. > Yes, agreed. But its usually not brute force we worry about. I wasn't talking about brute-force. As I said before, brute-force has a complexity of 2^128, and the best known attack has complexity 2^123. If I calculated correctly, you can have a 2^100 attack and significantly faster computers, and my comparison would still hold. You can do it before the heat death of the universe, but not before the Sun explodes. I see nothing insecure in the way BOINC does file-signing. The main problem is in the human side, such as projects not protecting their private key enough. -- Nicolás _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
