Securely downloading Ubuntu

[Neal McBurnett]

On Mon, Jan 28, 2008 at 04:44:05PM +0200, Lars Wirzenius wrote:
> On ti, 2008-01-22 at 19:32 +0000, Chris Lamb wrote:
> > However, the MD5 digest algorithm is utterly broken 
> 
> How broken is it? Can one reasonably expect that a well-provisioned
> attacker can create an MD5SUMS file that has the wrong content but still
> matches the GnuPG signature?

The current state of the art allows people to easily create two files
with the same MD5 (a "hash collision").  But no one has claimed to be
able to create a file that matches the MD5 of a file that someone else
created (a "preimage attack"):

 http://en.wikipedia.org/wiki/MD5

 http://en.wikipedia.org/wiki/Preimage_attack

To take advantage of the existing vulnerability (hash collision), the
attacker would have to be also be able to modify the ISO that is
published on the Ubuntu sites.  If they can do that, we have more
important things to worry about.

I think the main risk for Ubuntu would be the latter kind of attack,
if it is ever developed.  Cryptographers are nervous about not only
MD5, but also all the functions in the same class, which includes
SHA-1 and SHA-256.  The latter ones use more bits and thus have more
life in them than MD5, but the field is in a lot of turmoil.

> (I'm all in favor of moving to SHA256 or whatever is considered best
> practice these days. I've just not heard that MD5 is really as broken as
> I think Chris suggests here.)

One easy thing to do is to also publish sha256 sums of the CD
images, so if MD5 preimage attacks are developed, that would help.

I think we should do that now, and consider a hash function in a
different class also (whirlpool?).

Shipping more hash functions in the base install would help a lot in a
crisis, so users have what they need to validate software updates.
I guess coreutils has the md5 and sha families well covered, but
again, something different like whirlpool could help a lot some day.

There is at least one LGPL library which provides a uniform interface
to a large number of hash algorithms: mhash
(http://mhash.sourceforge.net/).  And there is a python interface to
it, but I don't see a package for it.

On Tue, Jan 22, 2008 at 07:32:32PM +0000, Chris Lamb wrote:
> Is it actually possible to securely download Ubuntu?
> 
> A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg [0].
> However, the MD5 digest algorithm is utterly broken and the key is signed
> by just a handful of people anyway[1], only two of which I (visually)
> recognise as having anything to do with the Ubuntu project.

Remember, anyone can sign a key on a public keyring, so most of those
sigs are probably from "volunteers".  But all the user needs is a
trust path from their trusted keys to the key in question, and since
it is signed by

 Ubuntu Archive Master Signing Key <ftpmaster at ubuntu.com>

users should be able to have that.  But the warning on the
https://help.ubuntu.com/community/VerifyIsoHowto page is an issue:

 WARNING: This key is not certified with a trusted signature!

That ftpmaster key is already on installed systems, right?  I would
think we could preinstall system keyrings and give instructions that
would be based on that.  Do we not ship the <cdimage at ubuntu.com> key?

> If the MD5SUMS files are purely for validating downloads[3], could the
> completely useless/misleading GPG files be dropped?

They are far from useless - they are the only way to validate the hash
information based on trust roots that are (or should be) on your
system already.

Neal McBurnett                 http://mcburnett.org/neal/

> /Lamby
> 
> [0] http://cdimage.ubuntu.com/releases/7.10/release/
> [1] http://preview.tinyurl.com/2llzqr
> [2] https://help.ubuntu.com/community/VerifyIsoHowto