[Cryptography] The computer forensics world still using SHA-1

Natanael natanael.l at gmail.com
Wed Aug 18 03:11:06 EDT 2021


Den ons 18 aug. 2021 07:54Phillip Hallam-Baker <hallam at gmail.com> skrev:

> On Tue, Aug 17, 2021 at 10:44 PM RB <aoz.syn at gmail.com> wrote:
>
>
>> > * Uses SHA-1 and MD5 digests for integrity.
>>
>> Both digests coupled with a known size (which most disk forensics is
>> based on), is bad but not as wildly bad as it could be.  Moreover,
>> they're far more interested in the physical chain-of-custody documents
>> of a given disk and its image (usually stored offline, on another
>> disk) than they are the cryptographic soundness of their digest
>> algorithm. If the latter fails, guess which they trust?
>>
>
> These are Merkle-Damgard constructions, so if MD5 can be broken and SHA-1
> can be broken, breaking both is simply a matter of breaking them in
> different blocks. Easy.
>
> Sure, the physical chain of custody is a backup. But if the defense is
> alleging the materials were tampered with, show the hash is broken and the
> case is toast.
>

This was tested recently in a different way, and the conclusions which I
saw from the lawyers who commented on it is that if the defense can't show
the weakness were likely exposed in *their* case, then court approved chain
of custody is sufficient for certifying integrity.

See the kerfuffle caused by Moxie (one of the Signal devs) publishing
exploits in a smartphone imaging tool commonly used by law enforcement.

Original article:
https://signal.org/blog/cellebrite-vulnerabilities/

Because after all, if courts are OK with physical evidence stored in
evidence lockers where the locks can be picked, relying on outsiders not
being able to reach the locker undetected, then why wouldn't they be OK
with this?

(you can make the argument that they shouldn't, and should require greater
security, but this is how things works today)

>From RB:

> * No enrollment in append only log
>>
>> Whose append-only log do you trust, and how do you implement it
>> isolated from Internet connectivity, which is where most actual
>> commercial disk forensics is conducted?
>
>
Easy enough to solve. Generate the hashes offline, extract them (perhaps
with a local offline printer), bring to them to an online system where you
can publish the hashes.

Like PHB noted, you can have multiple logs cross-reference each other to
enforce "backtracking resistance".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210818/5914dda8/attachment.htm>


More information about the cryptography mailing list