DISQUS

Matasano Chargen: Notarized Advisories: Prove You Found Something Without Giving Up Secrets

  • tom ferris · 3 years ago
    hahhaha you must be bored. :)
  • Thomas Ptacek · 3 years ago
    No, just frustrated that we can't get stuff published.
  • Thomas Ptacek · 3 years ago
    Also, I'm guessing the utility of this is less obvious if you're not even telling the vendor before you post vulnerabilities, let alone waiting for a patch. ;)
  • Chris · 3 years ago
    Or, you could go Old Skool: type up the details and send them to yourself via certified mail. Then, when you're running low on ego, control, or competition, you unseal the envelope and prove you were there first.

    This mechanism may also have the added value of being one that courts are familiar with.
  • kurt wismer · 3 years ago
    reminds me of vulnerability escrow except it doesn't require a trusted 3rd party... i think the trusted 3rd party would solve the trusted timestamp problem though...
  • Thomas Ptacek · 3 years ago
    Yeah, but you can't post the certified mail on your web site to take credit. =)
  • Josh Daymont · 3 years ago
    You could scan the printed docs and the certified mail label and post those. But yea for the internet a *published* signed md5 is probably better
  • Ryan Russell · 3 years ago
    A number of years ago, about when I started the vuln-dev list, I wanted to start a second mailing list. The purpose of the list would be to post encrypted emails. Such emails could include things like PGP passphrase-encrypted notes. The assumption is that the list would be mirrored in enough places so that there would be little chance of archive tampering.

    One of the purposes of such a list was for people to post their encrypted exploits. That way, they could just post the key at a later date, and prove that they had something at a particular time.

    The hash version is perhaps a little more elegant. Though, the hash algorithms need to quit failing so fast.

    For some reason, SecurityFocus wasn't interested in hosting such a list, go figure. So I never started it.
  • Nate · 3 years ago
    MD5 is completely insecure against collisions. May I never hear it mentioned by you or Josh again. Just in case you forgot, you're a SECURITY consultant.
  • Thomas Ptacek · 3 years ago
    Did I slip up and say MD5 somewhere?

    How much better is SHA1 at this point anyways?
  • Mark · 3 years ago
    Raymond Chen had a similar idea:
    http://blogs.msdn.com/oldnewthing/archive/2006/...

    (It provoked a really interesting response: people thought it was a challenge to decode his prediction!)
  • Ryan Russell · 3 years ago
    Right this very second, as far as those of us in the general populace can tell, SHA1 is WAY better than MD5. As in, SHA1 is only (publically) broken for reduced-round attacks, for (I think) two chosen plaintexts. I haven't been able to find yet what "broken" is either, in terms of how many bits do I have to brute force? Is it 64 bits, or what?
  • Dan Moniz · 3 years ago
    If you care about the integrity of hashes for potentially years and decades into the future, as Tom's use proposes, *right now*, you shouldn't be using MD5 or SHA1, you should be using SHA-256 or SHA-512 (skip SHA-384), and you should be looking to move to something better in a few years as SHA in general looks worse with each year's Crypto conference.
  • Thomas Ptacek · 3 years ago
    While I agree with Dan, it's worth noting saying that if I was pen-testing this system, I wouldn't aim at the hash function first. =)
  • Dan Moniz · 3 years ago
    Heck, I'm a little bored too.

    I haven't looked at Tom's idea above more than just the initial glance to read the post (i.e., I haven't read it in detail yet), but to point out other potential way you could extend this or augment it, here are some ideas.

    Add blinding, and a third party to be the notary. The canonical (Applied Crypto, 2nd Ed.) simple example is something like (from memory):

    1. Peter Pwnerson takes his expoit (code and notes, or whatever) and multiples it by a random value. Peter now has a blinded exploit and the random value is a blinding factor.

    2. Peter sends the blinded exploit to Nancy Notary.

    3. Nancy signs the blinded document.

    4. Peter divides the blinded exploit by the blinding factor, leaving the original exploit, signed by Nancy.

    There are, of course, a whole bunch of caveats regarding randomness, etc. Mostly this helps Tom's protocol, which relies on Peter to create the timestamp and can be subverted. Nothing stops me from backdating a bunch of stuff, except maybe that no one saw me "publish" the hash when I claim I did. Still.

    One other somewhat related thing I've been idly thinking about this week has been what kind of real-world zero-knowedge protcol could be implemented to address the issue that David Maynor and Jon Ellch have been dealing with.
  • Thomas Ptacek · 3 years ago
    That suggestion seems sound, but it's not in the spirit of the original proposal. If we had an actual online notary for our advisories then, like Ryan suggested, we could simply encrypt them and file them.

    This proposal works in the absence of any infrastructure. Unless someone tells me "you idiot, this won't work because...", we'll probably publish most of our advisory backlog this weekend using it.

    One extension I came up with since last night: tack a key to the end of your advisory before you notarize it (head /dev/urandom | openssl sha1). This gives you the option, though you probably won't take it, of publishing an advisory later WITHOUT disclosing how long the vendor took (just change the key).
  • Dan Moniz · 3 years ago
    Well, right, or in that this still requires infrastructure (i.e. public mailing lists whose operators are unlikely to collude with you) but infrastructure we already have and rely on, at least to a degree.
  • dugsong · 3 years ago
    peter honeyman did this almost a decade ago with the publication of some vulnerabilities in Schlumberger's Java smartcard - he mailed them a copy of the Michigan Daily's classified section, where he'd taken out an ad containing the MD5 hash of his advisory (which i can't find anymore, but some photographic evidence still exists :-)

    http://www.citi.umich.edu/projects/smartcard/le...
    http://www.citi.umich.edu/projects/smartcard/sm...
  • Thomas Ptacek · 3 years ago
    Peter Honeyman, as usual, rules.
  • Anton Stiglic · 3 years ago
    The idea was discussed in a class by Claude Crépeau back in 1994, at least.
    Definitly not a new idea, but still interesting.
  • Lucas Nelson · 3 years ago
    This reminds me a bit of Ross Anderson's Guy Fawkes protocol. Of course the point there was to remain anonymous and yet prove that one had predicted something.

    http://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf