Securely downloading Ubuntu
cjwatson at ubuntu.com
Tue Jan 29 12:16:50 GMT 2008
On Mon, Jan 28, 2008 at 09:28:48AM -0700, Neal McBurnett wrote:
> On Mon, Jan 28, 2008 at 04:44:05PM +0200, Lars Wirzenius wrote:
> > On ti, 2008-01-22 at 19:32 +0000, Chris Lamb wrote:
> > > However, the MD5 digest algorithm is utterly broken
> > How broken is it? Can one reasonably expect that a well-provisioned
> > attacker can create an MD5SUMS file that has the wrong content but still
> > matches the GnuPG signature?
> The current state of the art allows people to easily create two files
> with the same MD5 (a "hash collision"). But no one has claimed to be
> able to create a file that matches the MD5 of a file that someone else
> created (a "preimage attack"):
> To take advantage of the existing vulnerability (hash collision), the
> attacker would have to be also be able to modify the ISO that is
> published on the Ubuntu sites. If they can do that, we have more
> important things to worry about.
They could also set up a malicious Ubuntu mirror, and perhaps use
attacks such as DNS poisoning to substitute for a prominent mirror.
However, the presence of GPG signatures on the MD5SUMS files means that
conscientious users who verify the signatures are safe from hash
collision attacks, and an attacker would require a second-preimage
attack on MD5 in order to produce a compromised image. (Plus, of course,
they would need a second-preimage attack that is sufficiently flexible
to produce a valid working ISO with malicious contents, which probably
makes it a couple of orders of magnitude harder.)
> I think the main risk for Ubuntu would be the latter kind of attack,
> if it is ever developed. Cryptographers are nervous about not only
> MD5, but also all the functions in the same class, which includes
> SHA-1 and SHA-256. The latter ones use more bits and thus have more
> life in them than MD5, but the field is in a lot of turmoil.
Yes. Also note that combining SHA1 or SHA256 with MD5 does not give you
anything like the sum of the difficulty of breaking both independently;
on the contrary, an attack on MD5 gets you quite some distance towards
breaking SHA* as well. It's been a while since I did the maths, but IIRC
MD5 + SHA1 only provides six bits of security over SHA1 alone.
The reason to continue providing MD5 is that the tools to verify them
are better-deployed than those for better hash algorithms, so they
continue to be significantly better than nothing.
> > (I'm all in favor of moving to SHA256 or whatever is considered best
> > practice these days. I've just not heard that MD5 is really as broken as
> > I think Chris suggests here.)
> One easy thing to do is to also publish sha256 sums of the CD
> images, so if MD5 preimage attacks are developed, that would help.
See my other mail in response to Matt on the subject. (In short: I
agree, but there are some infrastructural fixes that need to happen
> I think we should do that now, and consider a hash function in a
> different class also (whirlpool?).
Do you know what the state of cryptanalytic research is on Whirlpool? My
concern is that the MD5/SHA family, for all its faults, has been
extremely extensively cryptanalysed, and at least we know where we
stand, while the other families are still relatively unknown.
> On Tue, Jan 22, 2008 at 07:32:32PM +0000, Chris Lamb wrote:
> > Is it actually possible to securely download Ubuntu?
> > A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg .
> > However, the MD5 digest algorithm is utterly broken and the key is signed
> > by just a handful of people anyway, only two of which I (visually)
> > recognise as having anything to do with the Ubuntu project.
> Remember, anyone can sign a key on a public keyring, so most of those
> sigs are probably from "volunteers".
While of course there's no reason you should believe me from this mail
alone, although https://launchpad.net/~ubuntu-cdimage/+members may help,
the only relevant signature (i.e. one from an administrator of the CD
image build system) on the cdimage key 1024D/FBB75451 right now is mine.
However, that should be good enough for most people who care about GPG
as my key is in the top 100 or so in the worldwide strong set, so almost
anyone who's signed keys outside an isolated group should have a trust
path to the cdimage key.
> But all the user needs is a trust path from their trusted keys to the
> key in question, and since it is signed by
> Ubuntu Archive Master Signing Key <ftpmaster at ubuntu.com>
> users should be able to have that.
(Also signed by me. That key has special arrangements to defend against
its compromise, and is never kept on a network-connected system.)
> But the warning on the
> https://help.ubuntu.com/community/VerifyIsoHowto page is an issue:
> WARNING: This key is not certified with a trusted signature!
> That ftpmaster key is already on installed systems, right? I would
> think we could preinstall system keyrings and give instructions that
> would be based on that. Do we not ship the <cdimage at ubuntu.com> key?
It's in the ubuntu-keyring package, which is installed by default,
although it's not imported into users' keyrings by default (though it
would be easy enough to provide instructions on how to do so):
$ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --list-keys
gpg: please do a --check-trustdb
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage at ubuntu.com>
$ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --list-keys
gpg: please do a --check-trustdb
pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <ftpmaster at ubuntu.com>
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-devel