[openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

Jeremy Stanley fungi at yuggoth.org
Fri Sep 29 17:38:41 UTC 2017

On 2017-09-29 12:31:21 -0400 (-0400), Jay Pipes wrote:
> Can someone please inform me how changing the checksum algorithm
> for this operation to SHA-1 or something else would improve the
> security of this operation?

The current known flaws in MD5 pretty much boil down to this one
potential exploit scenario:

As a devious malcontent, I construct two images which are specially
engineered to result in the same MD5 checksum (this part alone may
not even be possible depending on the nature of the image protocol
and its metadata headers, but let's leave that aside for the
moment). One image is benign, and the other is malicious in nature.

I upload the benign image and get people to trust it. Later I
(again, exercise left to the imagination of the reader... leveraging
optional external image locations functionality in Glance?)
substitute the malicious image and people begin booting it instead,
continuing to trust it because it has the same checksum.

This example is, of course, contrived and riddled with gaping plot
holes; it would never make for a mystery bestseller. Who or what is
even validating these checksums to begin with? If you can get people
to run images you've uploaded, odds are it's game over anyway
regardless of whether or not the checksums change, and the known
avenues for that involve either an inside job or dangerous
configuration options.

The simpler explanation is that people hear "MD5 is broken" and so
anyone writing policies and auditing security/compliance just tells
you it's verboten. That, and uninformed alarmists who freak out when
they find uses of MD5 and think that means the software will be
hax0red the moment you put it into production. Sometimes it's easier
to just go through the pain of replacing unpopular cryptographic
primitives so you can avoid having this same discussion over and
over with people whose eyes glaze over as soon as you start to try
and tell them anything which disagrees with their paranoid
sensationalist media experts.

Oh, also, SHA-1 isn't much better in this regard.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170929/e13ba048/attachment.sig>

More information about the OpenStack-dev mailing list