will lunar switch from md5sum's

Jon South striker at lunar-linux.org
Thu Aug 19 15:16:25 GMT 2004


Hendrik Visage wrote:
> To understand the ultimate risk, you'll have to understand the ease of
> generating a valid piece of code, still the same exact lenght as the original,
> and *that* to have the same hash value. Yes, these research papers showed it
> easier than we expected, but still they haven't shown it possible with
> multi megabyte files compressed files to be able to exploit the system and
> inject/remove valuable code.

Someone could theoretically remove certain files, such as docs, man 
pages, readme's, or even code comments and have plenty of room to insert 
a trojan that polls a website for more stuff to infect the system with.

> The risk is still not so big to worry about it if it's done properly, ie.
> you do the hash on the compressed data, and not the source code, as you add
> an extra layer of complexity, as the cracker needs to know find a valid
> gzip/bzip2 file that have a hash collision with the original, *and* that have
> a valid source code that have a backdoor in it. Not impossible, but in my
> opinion much less likely.

Someone who would even bother to attempt something like that could 
probably minimize that extra layer with some nice fast machines -- or 
perhaps, if they could compress the trojanized version smaller than the 
original archive (removing docs, etc), they could play with inserting 
extra junk data into the compressed archive.

-Striker

-- 
The system requirements said "Windows 95 or better"
So I installed Linux.

Microsoft sells you Windows; Linux gives you the house.

v1sw6CUhw5ln4pr5ck4ma6/7u8Lw3Tm5l6+8GOa21s6Mr2e5+7t5/6TNDVESLFRXMb3Hp0en6/7g9ASTHCNMP 
www.hackerkey.com

Registered Linux User: 332618
<http://striker.interhact.net/striker.asc>


More information about the Lunar mailing list