How Cygwin counters man-in-the-middle (MITM) attacks

How Cygwin counters man-in-the-middle (MITM) attacks

[David A. Wheeler]

I'm trying to convince myself that the changes being made to Cygwin
will counter man-in-the-middle (MITM) attacks during installation or update.

Can someone tell me if the details below are correct?
I think something like this should be a new FAQ entry,
e.g., "How does Cygwin counter man-in-the-middle (MITM)
attacks during installation and update?"

Thanks.

--- David A. Wheeler



=== DETAILS ===


Here is how I think Cygwin will counter man-in-the-middle (MITM) attacks
during installation and update (once the switch to SHA-512 is complete):

1. The Cygwin server is correctly configured to support https (TLS).

   I checked Cygwin.com's SSL/TLS implementation using Qualsys
   ( https://www.ssllabs.com/ssltest/ ). Cygwin.com got an overall rating
   of "B" (capped because it permits the RC4 cipher).
   That's reasonable evidence that it is correctly configured.

   The cygwin.com site now supports HTTP Strict Transport Security (HSTS)
   according to Qualsys.  I believe that is new (and welcome news),
   because HSTS counters many MITM attacks.

2. The setup program is downloaded by the user using https.

   The user downloads setup-x86.exe or setup-x86_64.exe using https;
   https causes the user's web browser to authenticate the data source.
   Downloading these executables wasn't protected by https at one time
   (see my report https://cygwin.com/ml/cygwin/2015-02/msg00875.html), but
   that has been fixed (https://cygwin.com/ml/cygwin/2015-02/msg00896.html).

3. The Cygwin key is embedded in the setup program.

   The setup program has the Cygwin public key embedded in it, so the
   Cygwin public key is protected by the previous step.
   You can confirm this by looking at the setup project
   (http://sourceware.org/cygwin-apps/setup.html) source code via a git clone,
   and looking at file "cyg-pubkey.h" which is automatically generated
   from file "cygwin.pub".

4. The package list (setup.{ini,bz2}) has its digital signature checked.

   The setup program downloads from some mirror site the latest package list
   "setup.bz2" (compressed) or "setup.ini" (uncompressed).
   The package list not only lists the official Cygwin packages, but it
   also includes their cryptographic hashes.
   The setup program also gets the relevant ".sig" (signature) file.
   A mirror could corrupt the package list or signature, but this is
   countered because the setup program checks that the package list
   is correctly signed using the public key embedded in the setup program
   (you have to use the "-X" option to NOT check signatures).
   The setup program also checks the setup.{bz2,ini}
   timestamp/version and reports to the user if the file
   goes backwards in time; that process detects downgrade attacks
   (e.g., where an attacker sends an old signed setup.ini file).

5. The possibly-updated packages to be installed are downloaded and their
   cryptographic hashes (from the signed setup.ini file) are checked.

   Currently (as of 2015-03-08) Cygwin uses MD5 cryptographic hashes.
   As long as MD5 is accepted then Cygwin is vulnerable to
   MITM, because MD5 is a totally broken algorithm. E.g., in 2012
   the Flame malware exploited MD5 to fake a Microsoft digital signature.

   However, the 2015-02-06 update of setup*.exe added support for SHA-512
   (e.g., see https://cygwin.com/ml/cygwin/2015-02/msg00093.html),
   and "we're going to switch to using SHA512 checksums in
   the setup.ini files in a couple of weeks and this requires all of you
   to use the newer Setup version."
   There are no known practical exploits of SHA-512 (part of SHA-2).


Obviously this argument doesn't discuss other attacks (e.g.,
is the cygwin.com server adequately countering attack, is the Cygwin private key protected,
are files protected as they come from developers, etc.).
But I think it's important to know about MITM.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: How Cygwin counters man-in-the-middle (MITM) attacks

[Achim Gratz]

David A. Wheeler writes:
>    I checked Cygwin.com's SSL/TLS implementation using Qualsys
>    ( https://www.ssllabs.com/ssltest/ ). Cygwin.com got an overall rating
>    of "B" (capped because it permits the RC4 cipher).

That's not what I see at the moment, so you might want to check again:

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-08 20:38 CET
Nmap scan report for cygwin.com (209.132.180.131)
Host is up (0.21s latency).
rDNS record for 209.132.180.131: server1.sourceware.org
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=cygwin.com/organizationName=Red Hat Inc./stateOrProvinceName=North Carolina/countryName=US
| Issuer: commonName=DigiCert SHA2 High Assurance Server CA/organizationName=DigiCert Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Not valid before: 2014-05-15T23:00:00+00:00
| Not valid after:  2016-05-20T11:00:00+00:00
| MD5:   d888 b3ed 9f0f f8d1 5b57 fdd7 5122 bb53
|_SHA-1: 349e 7f24 e249 2256 af2d 15a9 2883 ce84 4a40 a88f
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
| 
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|     compressors: 
|       NULL
|_  least strength: weak

> 5. The possibly-updated packages to be installed are downloaded and their
>    cryptographic hashes (from the signed setup.ini file) are checked.
>
>    Currently (as of 2015-03-08) Cygwin uses MD5 cryptographic hashes.
>    As long as MD5 is accepted then Cygwin is vulnerable to
>    MITM, because MD5 is a totally broken algorithm. E.g., in 2012
>    the Flame malware exploited MD5 to fake a Microsoft digital signature.

Setup.ini also records the file size, so a successful attack would need
to pack a malicous payload into a valid archive of the same size and the
same MD5 checksum.  I think that is a much taller order than simply
creating a hash collision.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Waldorf MIDI Implementation & additional documentation:
http://Synth.Stromeko.net/Downloads.html#WaldorfDocs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: How Cygwin counters man-in-the-middle (MITM) attacks

[Achim Gratz]

Achim Gratz writes:
> That's not what I see at the moment, so you might want to check again:

Forget that, I managed to read over that one line… :-P

> |       TLS_RSA_WITH_RC4_128_SHA - strong


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:
http://Synth.Stromeko.net/DIY.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: How Cygwin counters man-in-the-middle (MITM) attacks

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1417 bytes --]

On Mar  8 20:44, Achim Gratz wrote:
> David A. Wheeler writes:
> >    I checked Cygwin.com's SSL/TLS implementation using Qualsys
> >    ( https://www.ssllabs.com/ssltest/ ). Cygwin.com got an overall rating
> >    of "B" (capped because it permits the RC4 cipher).

Isn't that rather due to the IDEA cypher:

> | Not valid after:  2016-05-20T11:00:00+00:00
> | MD5:   d888 b3ed 9f0f f8d1 5b57 fdd7 5122 bb53
> |_SHA-1: 349e 7f24 e249 2256 af2d 15a9 2883 ce84 4a40 a88f
> | ssl-enum-ciphers: 
> |   SSLv3: No supported ciphers found
> |   TLSv1.0: 
> |     ciphers: 
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
> |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
> |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
> |       TLS_RSA_WITH_IDEA_CBC_SHA - weak
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Also, again, Cygwin is just one project on sourceware.org.  It would be
nice if concerns like this would be addresses to the overseers mailing
list.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: How Cygwin counters man-in-the-middle (MITM) attacks

[David A. Wheeler]

On Sun, 08 Mar 2015 20:44:30 +0100, Achim Gratz <Stromeko@nexgo.de> wrote:
> Setup.ini also records the file size, so a successful attack would need
> to pack a malicous payload into a valid archive of the same size and the
> same MD5 checksum.  I think that is a much taller order than simply
> creating a hash collision.

That is harder, but I wouldn't trust it.

In 2004 it was shown that MD5 is not collision resistant, and the attacks just keep getting worse.  A quick check at the Wikipedia page about MD5 shows the sorry state of MD5.  The Software Engineering Institute (SEI) puts it pretty baldly: MD5 "should be considered cryptographically broken and unsuitable for further use".  You want to use known-strong crypto, not known-busted crypto.

Besides, there are easily-available, much-stronger alternatives, in particular SHA-2 (SHA-512 is part of SHA-2). It's already supported in the current Cygwin installer.

I recommend that Cygwin switch to SHA-512 soon.  It'll require that everyone update their installer to do future updates, but the installer download has been secured.  Then Cygwin can include in their FAQ a reasonable justification that its download and update process is secure.

--- David A. Wheeler

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple