[PLUG] Re: rpms
Tyler F. Creelan
creelan at engr.orst.edu
Thu Sep 12 18:28:49 UTC 2002
> Well, when using pgp, you're using a public/private keypair. What this
> means is that (in theory) the only way to trojan the files would be to
> get the key Redhat uses to sign the RPMs they release.
In theory you could also introduce your trojan in such
a way that the modified rpm hashes to the same value. While not yet
practical for MD5, such techniques for eliciting collisions and
pseudo-collisions have been shown:
Dobbertin, H. (1996). "The Status of Md5 After a Recent
Attack," RSA Laboratories' CryptoBytes, Volume 2, Number 2.
ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf
Tyler
-----------------------------
Tyler F. Creelan
College of Engineering
Oregon State University
503-640-3101
-----------------------------
On Thu, 12 Sep 2002, Russ Johnson wrote:
> Colin Kuskie wrote:
>
> >I'm questioning the combination of the two (apt-rpm), but in general
> >the use of automated downloads and install
> >
>
> Well, when using pgp, you're using a public/private keypair. What this
> means is that (in theory) the only way to trojan the files would be to
> get the key Redhat uses to sign the RPMs they release. The key we have
> to verify the signature can only verify, it can't create.
>
> --
> "The power to untie is stronger than the power to tie."
>
> Well, yeah, otherwise my shoes would tie themselves.
>
> ---
>
> Russ Johnson
> Stargate Online
>
> http://www.dimstar.net
> telnet://telnet.dimstar.net
> ICQ: 3739685:Airneil
>
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list