Re: Integrity checking NANOBSD images

Mike Tancsa wrote:
[ ... ]
# ssh remote1.example.com "/tmp/rand-directory/dd if=/dev/ad2s1a bs=4096k | /tmp/rand-directory/sha256"
120+1 records in
120+1 records out
505389056 bytes transferred in 169.727727 secs (2977646 bytes/sec)
955ebad583bfc0718eb28ac89563941407294d5c61a0c0f35e3773f029cc0685

Can I be reasonably certain the image has not been tampered with ? Or are there trivial ways to defeat this check ?

Checksumming the device image is a fine way of checking the integrity of it, assuming it is read-only. The only thing you might want to do is use two or three checksum algorithms (ie, use sha256 and md5 and something else), so that someone can't create a new image which matches the sha256 checksum of the original.

--
-Chuck
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Integrity checking NANOBSD images
    ... The only thing you might want to do is use two or three checksum algorithms (ie, use sha256 and md5 and something else), so that someone can't create a new image which matches the sha256 checksum of the original. ... That suggestion is a very good point, although trying to find a single trojaned image which matches several checksum methods is supposed to be a highly difficult task. ...
    (FreeBSD-Security)
  • FW: MD5 - Message Digest 5
    ... MD5 - Message Digest 5 ... Several weeks ago, this column discussed the cksum (i.e., checksum) ... files even if they have never used the md5 command. ... To make use of the md5 command, you will need to download and install ...
    (Debian-User)
  • Re: MD5 Weakness Exploited
    ... I disagree that we should consider MD5 sums as worthless. ... verified using a checksum from somewhere else. ... shared with the SHA-1 algorithm. ...
    (comp.os.os2.apps)
  • Re: MD5 Weakness Exploited
    ... While what they have achieved is not the same as producing an identical MD5 ... verified using a checksum from somewhere else. ... tools to verify that the download matches what was intended to retrieve. ... and the check sum from Keith's site. ...
    (comp.os.os2.apps)
  • Re: Masking the address
    ... My bad, MD5 isn't encryption ... ... checksum being something that is added to a string to ensure that the ... whole string is hashed into something compleatly different and that no ... resources and time to break md5, there are much better methods to break ...
    (comp.infosystems.www.authoring.cgi)