Foiling MITM attacks on source and ports trees

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Jan 3 12:45:27 UTC 2009 

RW wrote:
> On Fri, 02 Jan 2009 17:30:12 +0000
> Vincent Hoffman <vince at unsane.co.uk> wrote:
>> Admittedly this doesn't give a file by file checksum
> 
> That's not really a problem, it's no easier to create a collision
> in a .gz file than a patch file. 
> 
> The more substantial weakness is that the key is verified against a
> hash stored on the original installation media. If someone went to the
> trouble of diverting dns or routing to create a fake FreeBSD site they
> would presumably make it self-consistent down to the ISO checksums.

Yes.  Anyone can generate checksums.  The standard method of getting round
this problem is to cryptographically sign the (lists of) checksums using
some form of public/private key pair.

Unless designed carefully, there will be substantial logistical problems to
maintaining such lists of signatures.  The least laborious mechanism I can
think of would be this: an SSL secured web site using a key+cert signed by
a trusted CA[*].  This site would have privileged access to the master repositories
and would run a fairly simple CGI where supplying the location of a file from
a checked out copy of a repo, plus version number information and whatever
else is necessary to uniquely identify the specific file in question would
be answered with a list of checksums (MD5, SHA1, SHA265 etc.) of that file.
Obviously, this will require substantial caching of previously calculated
checksums simply for performance.  

As an end user, you check out sources etc. from whatever of the mirrors is
most suitable.  You can then verify the correctness of what's on your disk
by comparing a locally generated checksum with what you can download via a
trusted channel from the checksum server.  Since the checksum server is only
accessible via HTTPS and has a trusted certificate it should not be possible
to spoof.  Traffic levels should be relatively small compared to the main
distribution channels.  Even so, because of the SSL requirement it's going to
take a substantial piece of kit to provide this checksumming service at a
decent performance level,  especially when there are recent new releases.

	Cheers,

	Matthew

[*] Buying a high security cert from the likes of Verisign or OpenSRS would
set you back about £800 p.a. and it would probably be necessary to use someone
like the FreeBSD Foundation as an appropriate body to own the cert.

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090103/de3a358c/signature.pgp

More information about the freebsd-questions mailing list