Forum List Message List New Topic Print View

Gena Makhomed

September 07, 2015 03:30PM

On 07.09.2015 19:58, Maxim Dounin wrote:

>>> Also, it's important to understand that, while collision attacks
>>> now exists, it doesn't really make MD5 bad for various
>>> non-security uses.
>>
>> nginx cache is security use too.
>>
>> If user configure common shared cache for all virtual servers,
>> and config have two servers: first, protected by access,
>> auth_basic or auth_request modules from unauthorized use,
>> and second server with publicly available content.
>>
>> If attacker know proxy_cache_key, for example $scheme$host$request_uri
>> and know $request_uri from protected site - he can create MD5/crc32
>> collision by building specific $request_uri for second server,
>> and he will got unauthorized access to protected content
>> from the first, protected web site.
>>
>> This is looks like vulnerability.
>
> Yes, this looks like a valid example of a potentially affected
> configuration. Though as far as I know, it is not currently
> possible to construct a value (which choosen prefix) that maps to
> a given md5 value.

It is possible and already was used to create forged certificates.

In 2007, a chosen-prefix collision attack was found against MD5,
requiring roughly 2**50 evaluations of the MD5 function. The paper
also demonstrates two X.509 certificates for different domain names,
with colliding hash values. This means that a certificate authority
could be asked to sign a certificate for one domain, and then that
certificate could be used to impersonate another domain.
-
https://en.wikipedia.org/wiki/Collision_attack#Chosen-prefix_collision_attack

Details: http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/

Current nVidia GPU hardware can process hundreds of thousands
of MD5 hashes per second, and multiple GPU can be used
in cluster with linear scalability, as I understand.

>> And this vulnerability can be fixed as Sergey Brester propose:
>>
>> We should always compare the keys,
>> after cache entry with hash value was found.
>>
>> Or vulnerability can be minimized by using secure hash
>> function instead of current cryptographically broken MD5.
>
> I think moving away from MD5 is a right way to go.

160-bit SHA1 ?

....we present an identical-prefix collision attack
and a chosen-prefix collision attack on SHA-1 with
complexities equivalent to approximately 2**61
and 2**77.1 SHA-1 compressions, respectively.
- https://marc-stevens.nl/research/papers/EC13-S.pdf

SHA1 also was considered as insecure for SSL certificates,
and now all forced to migrate from SHA1 to at least SHA-256:
http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html

Collision attacks against SHA-1 are too affordable:
https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html

Content cached in nginx caches also can be very valuable,
even more valuable than SSL certificates for other sites.

====================================================

Using SHA-256 or SHA-512 or SHA3-256 or SHA3-512 is secure
right now, but it requires more CPU power and more memory.

More secure and robust way is to store proxy_cache_key
value into cache file on disk and check this value
before sending cached response to client. In such way
we can be ensured, what cache misuse is not possible,
and may be even fast 128-bit secure hash functions
can be used, to minimize memory usage and CPU requirements.
SHA1 truncated to 128 bits or something better than SHA1,
or even leave current MD5 as is - for retaining backward
compatibility with existing installations around the world.

If retaining backward compatibility is not mandatory,
may be SHAKE128(M, 128) can be used as 128-bit hash
for saving server memory, but checking proxy_cache_key value
is still required for preventing information disclosure attacks,
- because this is only 128 bit hash and it can be brute forced
in near future, as it described at Bruce Schneier site for SHA1.

P.S.

Using MurmurHash is not good idea, because attacker
can easy make collisions and invalidate popular entries
from cache, and this technology can be used for DDoS attacks.
(even in case if only one site exists on server with nginx cache)

Using secure hash function for nginx cache is strong requirement,
even in case then full proxy_cache_key value check will be added.

--
Best regards,
Gena

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
How does Nginx look-up cached resource?	Shuxin Yang	942	September 03, 2015 09:40PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	307	September 04, 2015 09:24AM
Re: How does Nginx look-up cached resource?	Sergey Brester	348	September 04, 2015 11:38AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	338	September 04, 2015 02:12PM
Re: How does Nginx look-up cached resource?	Sergey Brester	448	September 04, 2015 02:58PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	298	September 04, 2015 03:44PM
Re: How does Nginx look-up cached resource?	Sergey Brester	334	September 04, 2015 05:02PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	343	September 05, 2015 08:10PM
Re: How does Nginx look-up cached resource?	Sergey Brester	386	September 07, 2015 09:36AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	362	September 07, 2015 12:20PM
Re: How does Nginx look-up cached resource?	Sergey Brester	302	September 07, 2015 12:34PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	363	September 04, 2015 05:22PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	328	September 05, 2015 09:58PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	308	September 07, 2015 10:46AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	294	September 07, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	432	September 07, 2015 03:30PM
Re: How does Nginx look-up cached resource?	Sergey Brester	405	September 07, 2015 05:24PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	559	September 07, 2015 07:20PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	479	September 07, 2015 09:42PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	441	September 08, 2015 05:08PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	467	September 09, 2015 01:18PM
Re: How does Nginx look-up cached resource?	Sergey Brester	338	September 10, 2015 05:58AM
Re: How does Nginx look-up cached resource?	Sergey Brester	332	September 10, 2015 08:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	357	September 10, 2015 10:48AM
Re: How does Nginx look-up cached resource?	Sergey Brester	319	September 10, 2015 11:08AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	322	September 10, 2015 11:34AM
Re: How does Nginx look-up cached resource?	Sergey Brester	332	September 10, 2015 11:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	347	September 10, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Sergey Brester	611	September 10, 2015 04:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 154

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018