Comments on projects I'm working on. All postings are my personal opinion only.
Friday, October 16, 2015
I wonder if IBM will update DAOS now SHA-1 has had a collision ?
I can imagine a scenario where you could give Domino a SHA1 generated file and it'll give you the real file... could be a problem.. could be a huge problem.
There hasn't been a collision. There has been a "freestart collision". See here for the distinction: http://crypto.stackexchange.com/questions/29695/what-is-a-freestart-collision It's a step along the way, but we already knew SHA-1 was broken. But being broken for security purposes like digital signatures is not the same as being broken for all purposes. To be useful as an attack against DAOS, the attacker would have to get his file processed first, before the file that he's trying to replace! So he has to know exactly what's in a file that has not yet been attached to a document on a Domino server but will be. And at worst, what happens? Since the file constructed to cause the collision is going to have to have lots of nonsense data in it, the worst consequence is denial of service - or maybe "denial of content", and frankly I think there are probaly always gooing to be far easier ways to accomplish that in a Notes/Domino environment.
But to be honest, I was surprised when IBM said they were going with SHA-1 when they rolled out DAOS. The writing was already on the wall for SHA-1 at that point, and it will obviously be very hard for them to change the hash algorithm.
I think there are some interesting potential attacks that are more than just denial of service. There are several formats that will ignore nonsense data - people have used PDFs for this in the past - so that isn't necessarily a problem.
And the attacker could send both the first and the second attachment. I'm imagining something where the attacked "seeds" the DAOS store with a bad attachment of some kind. Then when sending a later email it could contain what looks like a good file that effectively becomes the bad file when the user opens it. If there's different inbound mail filtering for different types of attachments or people from different domains then this could create some loopholes.
As you say, the collision isn't yet something which could be used to do this. And I doubt there are many attackers out there targeting Domino and DAOS this specifically. But it's interesting to think through at least, and if I were particularly paranoid I might start to worry about spear phishing attempts.
An alternative example I just thought of - using it to evade compliance requirements for message journaling.
If I want to send a "secret" message to someone I could create two PDFs with matching hashes and the secret message in the second PDF. Then send the first PDF out first and the second one shortly after. Any DAOS based journaling wouldn't have a copy of the second PDF.
Re journaling, IBM does not recommend enabling DAOS for journal files. This isn't their reason for that recommendation, but it certainly does add another one.
4 comments:
There hasn't been a collision. There has been a "freestart collision". See here for the distinction: http://crypto.stackexchange.com/questions/29695/what-is-a-freestart-collision
It's a step along the way, but we already knew SHA-1 was broken. But being broken for security purposes like digital signatures is not the same as being broken for all purposes. To be useful as an attack against DAOS, the attacker would have to get his file processed first, before the file that he's trying to replace! So he has to know exactly what's in a file that has not yet been attached to a document on a Domino server but will be. And at worst, what happens? Since the file constructed to cause the collision is going to have to have lots of nonsense data in it, the worst consequence is denial of service - or maybe "denial of content", and frankly I think there are probaly always gooing to be far easier ways to accomplish that in a Notes/Domino environment.
But to be honest, I was surprised when IBM said they were going with SHA-1 when they rolled out DAOS. The writing was already on the wall for SHA-1 at that point, and it will obviously be very hard for them to change the hash algorithm.
I think there are some interesting potential attacks that are more than just denial of service. There are several formats that will ignore nonsense data - people have used PDFs for this in the past - so that isn't necessarily a problem.
And the attacker could send both the first and the second attachment. I'm imagining something where the attacked "seeds" the DAOS store with a bad attachment of some kind. Then when sending a later email it could contain what looks like a good file that effectively becomes the bad file when the user opens it.
If there's different inbound mail filtering for different types of attachments or people from different domains then this could create some loopholes.
As you say, the collision isn't yet something which could be used to do this. And I doubt there are many attackers out there targeting Domino and DAOS this specifically.
But it's interesting to think through at least, and if I were particularly paranoid I might start to worry about spear phishing attempts.
An alternative example I just thought of - using it to evade compliance requirements for message journaling.
If I want to send a "secret" message to someone I could create two PDFs with matching hashes and the secret message in the second PDF. Then send the first PDF out first and the second one shortly after. Any DAOS based journaling wouldn't have a copy of the second PDF.
Re journaling, IBM does not recommend enabling DAOS for journal files. This isn't their reason for that recommendation, but it certainly does add another one.
Post a Comment