Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Any way to make code running on a cloud service publicly verifiable?

Curt Sampson writes:

 > I would think you'd have the server allow downloads of the version it's
 > running,

I don't see how that's easy to analyze.  That would require that the
server open up a file transfer mechanism not under control of Edgar
(remember, Edgar is the prime suspect here).  Maybe that's easy to do,
and easy to secure.

 > > Yeah, I thought about that.  I don't see how it's a reduction in
 > > attack surface, though.  It's just a question of how reliable the
 > > chained SHA1 is, but that's the only point of attack I can see.
 > I wouldn't be confident that that's the only new area of attack without
 > further analysis,

Agreed, but your obvious solution has its own such issues.  I don't
have the competence to suggest which is easier to analyze, or easier
to secure, though.

 > and even just the question of the reliability of the
 > chained SHA1 is not trivial. (If it were, we wouldn't be using things
 > such as HMACs instead of straight hashes.)

The reason for using HMACs is that a man in the middle can learn to
generate hashes for messages that he can control, at least in part.
Here, generating new SHA1s is out of the question, you must match the
one reported by the server.  You need a collision.

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links