Security
Dealing with weakness in SHA-1
The SHA-1 hash function serves an auxiliary role in a number of cryptography utilities, notably OpenPGP, where it is used to sign documents and generate key fingerprints. Researchers recently published an attack on SHA-1 that can find collisions in drastically shorter time than previously thought, accelerating the move to replace SHA-1. A contest is underway to select a replacement, that will be designated SHA-3, but it will not be standardized until 2012. Between now and then, there are several steps interested individuals can take to harden themselves against attack — starting with understanding just what a hash collision can and cannot compromise.
SHA-1 was created by the National Security Agency (NSA) in 1995. It computes a 160-bit hash or "digest" of any message less than 2^64 bits long. Like any cryptographic hash function, its value as a message authentication tool depends on it being mathematically hard to find a collision: two messages that generate the same hash value. A brute-force search would, on average, take 2^80 evaluations of the function to find a collision (80 being half of the 160 bit digest length). Such a search would find two arbitrary messages that result in the same hash, not allow an attacker to find a collision with any specific message, but the 2^80 steps of a brute-force attack serves as a metric for the comparative efficiency of other attacks.
In recent years, the most efficient known attack on SHA-1 required 2^63 evaluations — around 1/100,000th the number of steps for a brute force search, but still safely outside the reach of a real-world attacker. That changed in April of 2009, when Cameron McDonald, Josef Pieprzyk, and Phil Hawkes presented findings [PDF] at the Eurocrypt 2009 conference that lowered the bar to 2^52 — a 2,000-fold speedup over 2^63. The existence of such an attack is far from a crisis-level weakness, but the upshot is that it is better to start migrating away from SHA-1 while it is still relatively safe.
SHA-1 in free software cryptography
SHA-1 is used in public-key cryptographic systems, including the OpenPGP specification (RFC 4880) implemented on most Linux desktop and server distributions by GnuPG. Since SHA-1 is a hash function, and not a cipher, it does not play a direct role in encryption, but it is used for digital signatures. In addition, OpenPGP key fingerprints are created with SHA-1, and key fingerprints are in turn used in key revocation and modification detection codes (MDC).
An OpenPGP digital signature involves computing a hash of the original message, then encrypting the hash with the signer's private encryption key. To verify the signed message's integrity, the recipient also needs to be able to compute the same hash on the received text. That requires support from the software and the keys used — although OpenPGP supports multiple hash algorithms in addition to SHA-1, old DSA keys can only use 160-bit signatures. Historically, that meant SHA-1, although RIPEMD-160 is compatible as well. Consequently, selecting a stronger algorithm when signing messages is possible with an application like GnuPG, but in the worst case scenario a user wishing to avoid SHA-1 would need to create a new DSA2 or RSA signing key.
Key fingerprints are digests of public keys, useful for key management because they are considerably shorter than the key from which they are hashed — thus making them human-readable so they can be compactly referenced more easily. Applications often list keys in a user's keyring by their fingerprint, so a SHA-1 collision that results in two keys having the same fingerprint could cause user confusion or unpredictable application behavior. Perhaps more importantly, key revocation certificates reference keys using fingerprints, again opening the door to unpredictable behavior if the application finds two keys with identical fingerprints. OpenPGP specifies SHA-1 as the only hash algorithm for version 4 keys (the latest revision), so there is no current workaround for fingerprint collisions.
MDC is an OpenPGP system to provide message integrity-checking with less overhead and less stringent requirements than full digital signatures. RFC 4880 describes it as "analogous to a checksum." MDC also specifies SHA-1 as its sole hash algorithm, but because its modest goals cover message integrity but not authentication, the existence of collisions does not adversely affect it. The checksum-like usage of the hash algorithm in this context simply verifies that the message content was not altered or corrupted in transit.
Although 2^52-evaluation collisions represent a significant weakening of SHA-1, it is important to note that hash collisions are not as easy to exploit as broken ciphers. On the GnuPG users' mailing list, maintainer David Shaw evaluated some of the possible scenarios, such as attempting to forge a signature. Even with the easier-to-exploit MD5 collision problem, thus far no one has been able to create a phony signature to match the signature of an existing key; the closest anyone has come is to generate two keys that can be used to create the same signature — an attack with little practical value. The prevailing opinion on the IETF's OpenPGP Working Group list was much the same. A more likely problem is the unexpected behavior of applications when confronted with fingerprint collisions.
Practical migration and looking forward
Nevertheless, users are encouraged to transition away from SHA-1 usage to stronger hash algorithms. The US government has mandated deprecation of SHA-1 for its use by the end of 2010. There are several alternative hash functions available today, including the family known as SHA-2. SHA-2 includes several functions that are related but use different digest lengths: SHA-224, SHA-256, SHA-384, and SHA-512. The SHA-2 functions are algorithmically similar to SHA-1, and so would be vulnerable to the same type of attacks, but because of their larger digest size they remain significantly more secure.
The National Institute of Standards and Technology (NIST) is currently holding a competition to select a next-generation hash algorithm to be designated SHA-3. Submissions were due in October of 2008, and the final winner is expected to be announced in 2012.
Debian's Daniel Kahn Gillmor posted a step-by-step guide to migrating away from SHA-1 in GnuPG. Included are instructions for setting up signing algorithm preferences in gpg.conf, attaching digest preferences to a public key so that other users will select a stronger algorithm when sending a message, and generating a replacement for an old DSA key. It is an important read particularly for key replacement, because setting strong digest preferences must be done before generating a new key — otherwise GnuPG will default to using SHA-1.
GnuPG for its part is planning to change its defaults in future releases, so that newly-created keys will default to RSA instead of DSA, and be able to use newer hash algorithms. Gillmor has also proposed a tool to scan OpenPGP keys and offer suggestions to the user for strengthening them — including using the current format, key type and size, appropriate sub-keys, and several other parameters.
The trickier problem is the OpenPGP specification's inclusion of SHA-1 as the "hardwired" choice for fingerprinting, revocation, and MDC. A thread on the OpenPGP Working Group's mailing list exposes several points of view. Some think that the group should wait for SHA-3, some think a change is due now, and others think that hash collisions even on fingerprints are not a significant enough security risk to warrant changing the specification.
As Gillmor's migration guide indicates, Debian is trying migrate its developers, maintainers, and teams away from SHA-1 digests and DSA keys and towards RSA keys with SHA-512 digests. Likewise, the Fedora project has undertaken a concerted migration to SHA-2 hashes. Ubuntu's security team administrator Kees Cook says that that distribution will update its keys over time, but that there is no rush. OpenSUSE's Marcus Meissner echos that sentiment, observing that the distribution is phasing out SHA-1 and MD5 for signing, but that collisions do not constitute a security threat for simple download integrity checking. All four distributions already use RSA master keys to sign packages.
Shaw emphasized that the recent attacks on SHA-1 still require a
significant amount of work, and at best would allow an attacker to produce
two original documents that hash to the same value, which does not directly
impact most people's usage of OpenPGP. "This is not an attack where someone
could take an existing OpenPGP-signed document and make a new document that
matches the signature or the like.
" He advised individuals and maintainers
who know that their intended recipients can accept larger hashes to use
larger hashes, particularly when signing documents created by someone else
(such as at a key-signing event), but not to worry unduly about using SHA-1
when that is the only option. In other words, he said, walk, but don't
run, for the exits.
Brief items
Researchers Build Anonymous, Browser-Based 'Darknet' (DarkReading)
DarkReading reports on an upcoming Black Hat presentation which creates a "darknet" from within browsers. A darknet is a network like Tor or Freenet that allows for secure, anonymous use. "Veiled is basically a 'zero footprint' network, in which groups can rapidly form and disappear without a trace. It connects the user's HTML 5-based browser to a single PHP file, which downloads some JavaScript code into the browser. Pieces of the file are spread among the members of the Veiled darknet. It's not peer-to-peer, but rather a chain of 'repeaters' of the PHP file, the researchers say."
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2009-0198 CVE-2009-0509 CVE-2009-0510 CVE-2009-0511 CVE-2009-0512 CVE-2009-0888 CVE-2009-0889 CVE-2009-1855 CVE-2009-1856 CVE-2009-1857 CVE-2009-1858 CVE-2009-1859 CVE-2009-1861 CVE-2009-2028 | ||||||||||||||||
| Created: | June 17, 2009 | Updated: | September 1, 2009 | ||||||||||||||||
| Description: | acroread has a number of vulnerabilities. From the Red Hat alert: Multiple security flaws were discovered in Adobe Reader. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, CVE-2009-1861, CVE-2009-2028) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
coccinelle: symlink attack
| Package(s): | coccinelle | CVE #(s): | CVE-2009-1753 | ||||
| Created: | June 16, 2009 | Updated: | June 17, 2009 | ||||
| Description: | From the CVE entry: Coccinelle 0.1.7 allows local users to overwrite arbitrary files via a symlink attack on an unspecified "result file." | ||||||
| Alerts: |
| ||||||
drupal-views: cross site scripting
| Package(s): | drupal-views | CVE #(s): | |||||||||||||
| Created: | June 16, 2009 | Updated: | June 17, 2009 | ||||||||||||
| Description: | From the Fedora advisory: The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. In the Views UI administrative interface when configuring exposed filters, user input presented as possible exposed filters is not correctly filtered, potentially allowing malicious users to insert arbitrary HTML and script code into these pages. In addition, content entered by users with 'administer views' permission into the View name when defining custom views is subsequently displayed without being filtered. Such cross site scripting (XSS) attacks may lead to a malicious user gaining full administrative access. An access bypass may exist where unpublished content owned by the anonymous user (e.g. content created by a user whose account was later deleted) is visible to any anonymous user there is a view already configured to show it incorrectly. An additional access bypass may occur because Views may generate queries which disrespect node access control. Users may be able to access private content if they have permission to see the resulting View. | ||||||||||||||
| Alerts: |
| ||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-2043 CVE-2009-2044 CVE-2009-2061 CVE-2009-2065 | ||||||||||||
| Created: | June 17, 2009 | Updated: | August 3, 2009 | ||||||||||||
| Description: | Firefox has a multiple vulnerabilities. From the Mandriva alert:
CVE-2009-2043: firefox - remote TinyMCE denial of service CVE-2009-2044: firefox - remote GIF denial of service CVE-2009-2061: firefox - man-in-the-middle exploit CVE-2009-2065: firefox - man-in-the-middle exploit | ||||||||||||||
| Alerts: |
| ||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-1392 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835 CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840 CVE-2009-1841 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 12, 2009 | Updated: | August 3, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838, CVE-2009-1841) Multiple flaws were found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. (CVE-2009-1835, CVE-2009-1839) A script, privilege elevation flaw was found in the way Firefox loaded XML User Interface Language (XUL) scripts. Firefox and certain add-ons could load malicious content when certain policy checks did not happen. (CVE-2009-1840) A flaw was found in the way Firefox displayed certain Unicode characters in International Domain Names (IDN). If an IDN contained invalid characters, they may have been displayed as spaces, making it appear to the user that they were visiting a trusted site. (CVE-2009-1834) A flaw was found in the way Firefox handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Firefox instance that is using a proxy server, they may be able to steal sensitive information from the site the user is visiting. (CVE-2009-1836) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gupnp: crash on zero length content
| Package(s): | gupnp | CVE #(s): | |||||||||
| Created: | June 16, 2009 | Updated: | June 17, 2009 | ||||||||
| Description: | From the Fedora advisory: Version 0.12.8 fixes a bug where the gupnp stack crashes when passed empty content. | ||||||||||
| Alerts: |
| ||||||||||
icu: cross-site scripting
| Package(s): | icu | CVE #(s): | CVE-2009-0153 | ||||||||||||||||||||||||||||
| Created: | June 16, 2009 | Updated: | October 8, 2009 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry: International Components for Unicode (ICU) in Apple Mac OS X 10.5 before 10.5.7 does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
irssi: off-by-one error
| Package(s): | irssi | CVE #(s): | CVE-2009-1959 | ||||||||||||||||||||||||||||
| Created: | June 16, 2009 | Updated: | December 8, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Off-by-one error in the event_wallops function in fe-common/irc/fe-events.c in irssi 0.8.13 allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
libtorrent-rasterbar: directory traversal
| Package(s): | libtorrent-rasterbar | CVE #(s): | CVE-2009-1760 | ||||||||||||||||||||||||||||||||
| Created: | June 15, 2009 | Updated: | July 17, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: It was discovered that the Rasterbar Bittorrent library performed insufficient validation of path names specified in torrent files, which could lead to denial of service by overwriting files. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
mingw32-libpng: information disclosure
| Package(s): | mingw32-libpng | CVE #(s): | CVE-2009-2042 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 16, 2009 | Updated: | August 17, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mutt: SSL certificate vulnerability
| Package(s): | mutt | CVE #(s): | CVE-2009-1390 | ||||
| Created: | June 16, 2009 | Updated: | June 17, 2009 | ||||
| Description: | From the Fedora advisory: Version 1.5.19 fixes a problem with SSL certificate chain verification. | ||||||
| Alerts: |
| ||||||
perl: buffer overflow
| Package(s): | perl | CVE #(s): | CVE-2009-1391 | ||||||||||||||||||||||||||||||||||||
| Created: | June 16, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla: Compress::Raw::Zlib versions before 2.017 contain a buffer overflow in inflate(). A badly formed zlib-stream can trigger this buffer overflow and cause the perl process at least to hang or to crash. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
php-ZendFramework: local file inclusion
| Package(s): | php-ZendFramework | CVE #(s): | |||||
| Created: | June 16, 2009 | Updated: | June 17, 2009 | ||||
| Description: | From the Red Hat bugzilla: Upstream Zend Framework 1.7.5 contains a security fix for a potential Local File Inclusion (LFI) vulnerability in the Zend_View::render() method. This fixed is tagged upstream as "controversial", as it breaks backwards compatibility and existing uses of method. | ||||||
| Alerts: |
| ||||||
tomcat: multiple vulnerabilities
| Package(s): | tomcat6 | CVE #(s): | CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 15, 2009 | Updated: | November 2, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Iida Minehiko discovered that Tomcat did not properly normalise paths. A remote attacker could send specially crafted requests to the server and bypass security restrictions, gaining access to sensitive content. (CVE-2008-5515) Yoshihito Fukuyama discovered that Tomcat did not properly handle errors when the Java AJP connector and mod_jk load balancing are used. A remote attacker could send specially crafted requests containing invalid headers to the server and cause a temporary denial of service. (CVE-2009-0033) D. Matscheko and T. Hackner discovered that Tomcat did not properly handle malformed URL encoding of passwords when FORM authentication is used. A remote attacker could exploit this in order to enumerate valid usernames. (CVE-2009-0580) Deniz Cevik discovered that Tomcat did not properly escape certain parameters in the example calendar application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2009-0781) Philippe Prados discovered that Tomcat allowed web applications to replace the XML parser used by other web applications. Local users could exploit this to bypass security restrictions and gain access to certain sensitive files. (CVE-2009-0783) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>