Re: [librsync-users] MD4 second-preimage attack

[rsync2eran]

Hi,

On 2006-03-01 18:29, Donovan Baarda wrote:
 http://sourceforge.net/mailarchive/forum.php?forum_id=29760max_rows=25style=flatviewmonth=200404viewday=5
 
 If I understand correctly, provided we add random seeds for blocksums,
 these weaknesses would only make attack case 4) easier.

It indeed affects only case 4, regardless of seek randomization.


 MD4 (with known seed) is thus completely broken, making rsync batch mode
 and librsync unsafe to use in malicious environments. Please do consider
 phasing out MD4.
  
 If someone can provide detailed evidence that some other algorithm
 provides more useful-hash-bits/sec, taking into account the random seed,
 I'll be convinced :-)

OpenSSL's implementation of SHA-1 is as fast as its implementation of
MD4, and both are much faster than librsync's built-in MD4. For MD4, an
efficient second-preimage attack is known, whereas for SHA1, even a
collision has not been demonstrated yet (the best attack presently known
takes ~2^63 work). Is this sufficient evidence?


 In any case, the first thing that will be tackled is changing to use the
 libmd/openssl API for hashes, which will make switching what hash we
 want to use painless... a configure option?

Makes sense, and while at it, please consider setting the default block
hash to SHA-1.


 The fastest hash function with no interesting known attacks is SHA-256,
 which is still somewhat expensive (though this can be partially
 addressed by the meta-hash idea discussed on the librsync list last
 July, Re: more info on 25gig files). SHA-1 may also be OK for a while
 despite the known collision attacks, and has acceptable speed.
 
 The whole file checksum is the real protection against attacks, and for
 this I think we should use something strong, which means enough useful
 hash bits to protect against attack. Remember we only calculate this
 once over the whole file, not once for every potential block match.

The whole-file hash would protect against undetected corruption, but
what about denial of service? It can be rather nasty, for example, to
find out in retrospect that one of the the incremental backups has been
corrupted.


 Remember we only use a small part of the md4sum for the strong
 blocksum, and hence are already using less than the full md4sum. We
 don't really need that many bits of hash for the blocksum.

For incremental backup applications, you'd want even the block hash to
have full cryptographic strength. You can't get that even with the full,
untruncated MD4 hash.


 1) Add whole filesum checksums in the signature and delta. The signature
 will have the oldfile filesum, the delta will have the oldfile and
 newfile filesums. Applications will optionally be able to verify the
 oldfile filesum against the delta before applying patches, and patch
 will evaluate the newfile filesum and return an error if it doesn't
 match.

Sounds great. How about making the full file hash default to SHA-256?


 2) Add a blocksum/filesum seed in the signature and delta. This will be
 used as the seed for both filesums and blocksums. It will default to
 random when generating signatures, but can optionally be specified on
 the command-line. The delta and patch operations will use the seed from
 the corresponding signature.

Excellent.


 3) Add variable blocksum size in the signature. An optimal blocksum size
 can be calculated from the filesize, blocksize, and failure probability.
 The blocksize can be specified on the commandline, but will default to
 sqrt(filesize). The blocksum size will be calculated the same as rsync.
 Note that for this to work with streams, the truncated md4 blocksums
 will not be emitted when generating the signature until the oldfile
 input is completely read (to get the filesize). This ties in with
 feature 4)

There's no need to delay output if the block size is specified by the user.

 4) Add blocksum collision detection when generating the signature.
 This will involve keeping the whole md4 blocksums and checking that
 the truncated strongsum doesn't match against an existing block that
 has a different whole md4sum. If a collision is detected, an error
 will be returned. It is up to the application to do things like
 re-try with another seed (Note you can't retry for piped input).

Maybe in some applications the signature stage has little memory, and
would prefer using a large block hash to prevent collisions and turning
off the explicit collision detection to save memory.


 I'm not entirely sure about using the seed for the filesums too. It may
 be sufficient and convenient to use an unseeded SHA-1 or something, and
 the delta would not need to include the seed. However, it is a
 no-overhead addition that should help.

With SHA-1, the file hash should definitely use a randomized seed. For
SHA-256, it probably doesn't matter.

  Eran
-- 
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

detect renamed still not working

[d . laffien]

Hello there, 

I checked detect renamed in a small scenario again, but it won't work. 

I have some wiles in a dir an moving one to the parent. Rsyncing right 
bevore and after that. The file gets completely new transfered, I can see it 
because of a very slow line. 

This is what I test: 


server:~/test/1 # l new.jpg
-rwxr-xr-x  1 root root 1628679 Mar  2 00:10 new.jpg*
server:~/test/1 # mv new.jpg ..
server:~/test/1 # l ../new.jpg
-rwxr-xr-x  1 root root 1628679 Mar  2 00:10 ../new.jpg*
server:~/test/1 # rsync -e ssh -i /root/.ssh/xxx-rsync-key -r -p -o -g -v 
-z -l -t --stats /root/test/ xxx:/root/test --progress -i --detect-renamed

building file list ...
14 files to consider
.d..t ./
f+++ new.jpg
   1628679 100%   29.10kB/s0:00:53 (xfer#1, to-check=12/14)
.d..t 1/ 


Number of files: 14
Number of files transferred: 1
Total file size: 17493459 bytes
Total transferred file size: 1628679 bytes
Literal data: 1628679 bytes
Matched data: 0 bytes
File list size: 231
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 1628471
Total bytes received: 54 


sent 1628471 bytes  received 54 bytes  24126.30 bytes/sec
total size is 17493459  speedup is 10.74 



Same with --checksum option. So, whats wrong? I even tried to add
--compare-dest=/root/test/1 in this case, but won't work too. 

Anyone has any ideas? 


Thanks in advance,
Daniel Laffien
--
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

remove-send-files, thanks and question

[d . laffien]

First remove-send-files is improved in the actual version
and really works better for me, removing is now more in time. 


In my case I have a buggy wireless cconnection and rsyncing over night
in a loop, until rsync return 0, because often the pipe connection gets 
broken. 


After a complete success rsync there are files left on the sender, because
they where transfered right before loosing connection and not 
transfered#again, because the file already exists on the next loop on
the receivers side. So these files will surely not removed, b ecause they 
are not send. 

Can I do something like delete-existing to delete files on the sender that 
are equal on the receiver? 


Thanks in advance,
Daniel Laffien 



[AMIGA - because life is too short for boring computers] 
--

To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

CVS update: rsync/packaging

[Wayne Davison]

Date:   Sat Mar  4 08:21:59 2006
Author: wayned

Update of /data/cvs/rsync/packaging
In directory dp.samba.org:/tmp/cvs-serv2273

Modified Files:
release-rsync 
Log Message:
Tweaked the mode of the files in the tar file.


Revisions:
release-rsync   1.7 = 1.8

http://www.samba.org/cgi-bin/cvsweb/rsync/packaging/release-rsync?r1=1.7r2=1.8
___
rsync-cvs mailing list
rsync-cvs@lists.samba.org
https://lists.samba.org/mailman/listinfo/rsync-cvs