Are ubuntu packages (deb-files) only md5sum secured?
Introductory Background to the question below
(so the question is more usable to more people)
Inside of an Ubuntu/debian-style package (*.deb file) there is a file named
/DEBIAN/md5sums
which has a content of this form:
212ee8d0856605eb4546c3cff6aa6d35 usr/bin/file1 4131b66dc3913fcbf795159df912809f path/to/file2 8c21de23b7c25c9d1a093607fc27656a path/to/file3 c6d010a475366e0644f3bf77d7f922fd path/to/place/of/file4
As I assume this file will be used to check that the files which come with the package have not been corrupted somehow. Since the file is called `/DEBIAN/md5sums" I assume the hexnumber before the path+filename is the MD5 Message-Digest Algorithm Hash of the package's files.
Now everybody interested knows that the MD5 Hash has been broken already long time ago. Therefore it is totally possible to change the content of a file in the package (e.g maliciously) and still have the file having the same MD5-Hash (see for instance Prove of concept "Predicting the winner....").
Question
Bearing in mind the information above I want to know the following:
Assuming I install a package in my Ubuntu system. Is the DEBIAN/md5sums
the only means to make sure the data has not been tampered with?
Answering the question I think it could help to figure out the following:
- Are the deb packages as a whole also hashed(Hashvalues made for) so that there is another way to make safe the files received are "safe"/"untampered"
- If there are other ways then the
DEBIAN/md5sums
file to ensure integrity, what is the file included in the *.deb packages anyhow? - Does Ubuntu use hashes for repository/package-system that are "less broken" than SHA-1 and MD5?
which unfortunately I do not know either.
Any reponse which can shed light on the question (or even only a subquestion) is very welcome
update
(1) https://help.ubuntu.com/community/Repositories/Ubuntu#Authentication_Tab seems to indicate that there is (as I hoped for) some public/private gpg key going on (to keep the repos and package systems) safe from attacks. The information at the linked location is not very much though. It tells almost nothing about the security aspect of the Package-system. Anyhow I assume the link already indicates that the answer for the question will be "NO -at least the deb packages from the repo - are also secured by .... ". Hope somebody has some insights to use for an answer here.
(2) This question seems to be also about the topic of "security" in Ubuntu package system. So I just add it here so its ad hand if somebody strives to figure the question out: Why are the proposed BADSIG (on apt-get update) fixes secure?
Ubuntu publishes a manifest that is signed with an RSA key. The manifest lists individual Packages
index files, each with MD5, SHA-1 and SHA-256 hashes. Each Packages
file lists individual .deb
files with MD5, SHA-1 and SHA-256 hashes.
For verification, apt uses the best hash that it supports and is published by the archive it is downloading from. In the case of the Ubuntu archive, this is SHA-256.
So the entire chain of installing packages on your Ubuntu system is protected by RSA and SHA-256.
The MD5 protection that exists in dpkg is really only useful for accidental corruption, and not necessary to protect the installation path.
You might be interested in the debsums
package, but since it uses MD5s, it also is only useful for checking for accidental corruption.
If you want to check for malicious system modification, then these are not the appropriate tools for you. You will need to take the system offline and check against either a previous record, the original package files, or secure hashes generated from these.
Note that since a successful malicious modification might be to simply downgrade a package to the one prior to a security update, checking that all installed package files match against their originals may not be sufficient either.
I wanted this to be a comment, but I couldn't fit it in the box so I'm placing it here.
Yes, md5 has been broken cryptologically, but that doesn't mean it's a bad general purpose hashing algorithm. Modifying a file so it has the same hash is incredibly difficult, and doing so with a particular malicious change is nigh on impossible. From looking at the example you referenced, (Predicting The Winner) see this:
"The documents were first carefully prepared as valid PDF documents, with a hidden image object incorporated, containing a sufficient amount of random bits. Then, according to the diamond structure shown above, eleven chosen-prefix collisions were computed, and placed inside the hidden image objects at precisely the proper spots. In this way the twelve documents were turned into an MD5 multi-collision."
What was done was filling the files with random data to make the hashes match. The technology isn't anywhere near capable of adding particular malicious code to a file and having the hashes line up without breaking it or making it obvious that the file has been changed (I don't know if apt does, but many file hashes are accompanied by their file sizes to increase the difficulty of an undetectable hash collision).
md5 was not "broken". What they found was a way to carefully craft an original message, and a modified message that had the same hash. It is not possible to take an original message not specially crafted for the purpose of tampering with ( the correct file ), and modify it in such a way as to preserve its md5sum.