[Cryptography] Oracle discovers the 1990s in crypto

[Ron Garret]

On Jan 23, 2017, at 11:30 AM, Ray Dillinger <bear at sonic.net> wrote:

> 
> 
> On 01/23/2017 10:35 AM, Arnold Reinhold wrote:
> 
>> It’s true that tampering with existing signed objects requires a second pre-image attack, but creating two versions of software with the same sig could be accomplished by an entity who has the ability alter the final version of the legitimate object being signed, say by modifying a random nonce, bitmap or seed, or messing with white space in comments. This attack mode would only require a collision attack. The entity could be a mole working for loyalty to a cause, financial gain, or under duress. It might be done remotely if configuration management security is breached or the government could order cooperation e.g. in the U.S. by National Security Letter.
> 
> FWIW, the 'diff' utility as frequently deployed in software
> shops ignores whitespace.  A change to the code modifying
> whitespace only would often pass without a 'blip' on change
> control.  Someone who has malicious code could modify its
> source *and* the source of some innocuous program to have
> the same hash, in such a way that the innocuous source would
> not register as "changed" to a set of tools that might be
> in use at the shop involved.

A defense against this is to add a step to the build process that computes a keyed hash of the source code and adds a generated file to the source tree that binds a global variable to this hash.  This will cause the hash of the binary to change in an unpredictable way upon any change to the source, whether the RCS detects it or not.

rg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170123/7498f2a5/attachment.sig>