I just sent this message to cscott privately by mistake.

---------- Forwarded message ----------
From: Jameson Chema Quinn <jquinn at cs.oberlin.edu>
Date: Tue, Jun 3, 2008 at 11:54 AM
Subject: Re: [OLPC Security] [Techteam] Crypto export and python-crypto
To: "C. Scott Ananian" <cscott at laptop.org>


Thanks again for responding; while I still disagree, I am definitely
learning from this conversation.
http://wiki.laptop.org/go/Firmware_Key_and_Signature_Formats<http://wiki.laptop.org/go/Firmware_Key_and_Signature_Formats#Antitheft.2FActivation_Lease>
and
http://wiki.laptop.org/go/Contents_manifest_specification
This is true, but totally separate from the attack you mentioned, which is
in fact a practical (though limited) attack. Without reading the references,
the implication is that v2.1 is better than v1.5 only in terms of its
provability; not only are there no practical attacks on v1.5, there is not
even any intimation of any theoretical/incomplete ones, just the theoretical
possibility that such might exist.
My reading of this is that there are three stages to a signature.
1. manifest file: each subfile is signed by an arbitrary set of hashes
including md5
2. .sf file: an arbitrary subset of the files in manifest. Each entry in the
manifest, including hashes, is signed by md5 alone.
3. digital signature: an RSA (+md5), DSA, or PGP signature on the .sf file.

Thus md5 appears 2 or 3 times in this chain, and in step 2 there are no
options or redundancy. While a naive view would say that the constraints on
the manifest entry format are tight enough to make it more difficult to
forge a signature by breaking step 2, a meet-in-the-middle
attack<http://en.wikipedia.org/wiki/Meet-in-the-middle_attack>could
theoretically break it in as little as twice the time needed to break
md5. Also, step 3 does not allow for a simple rsa+shaxxx signature without
using pgp.

<http://java.sun.com/j2se/1.3/docs/guide/jar/jar.html#Digital%20Signatures>
You are right. So it is possible to abuse the format to allow this by
signing signatures. However, the metadata on signatures must then be
separate - either in separate files or as magic attributes in the manifest.
This feels like an ugly hack to me.

(Sorry, I realize that I am not fully explaining my thoughts here, because
it is beside the point. I assert that there is a way, but there is no good
way, within this format, for a master key to say "Signatures from key xxx
are valid, as long as their signed metadata states that they were requested
by activity yyy". Explaining the details of the bad way I can imagine is
unimportant; if you have a good way, let's talk about that instead.)
Ouch. This is somewhat of a monster of a year-old unimplemented
specification. It definitely has its attractions, but does not address the
problem I was attempting to refer to: compressed files will have much
noisier diffs from version to version. On a compressing, versioning file
system like jffs + olpcfs, storage should be in an uncompressed archive
format like tar IMO. Note that, with Develop, there may be dozens of
versions of one activity on the same machine; the redundancy between
versions dominates the redundancy within a given version (and the latter is
taken care of by jffs2 at the lowest level anyway.)
You are correct, I was mistaken.
Obviously, I need to state my design goals more clearly and explicitly; it
is my fault you are puzzled. I will begin to compose an email to do that
now, meanwhile I will send this off.

Jameson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/security/attachments/20080603/7f7a476e/attachment-0001.htm