Are there plans for Fortinet to start providing image checksums that are not based on the easily breakable md5 algorithm?
As a security company I'd have thought Fortinet would have moved away from md5 a long time ago...
Regards,
Matthew
Although MD5 is used to valid the checksum of firmware images, I believe the firmware images themselves are digitally signed using RSA; I can only speak from personal experience on this though...I recall sometime during 4.0 MR3 patch 7-11 period Fortinet uploaded a set of firmwares that either had no RSA signatures or had a problem with them, to their ftp site then quickly replaced them a few hours later with correct RSA signatures.
As for MD5 itself, I still see companies like Cisco still using it to validate their firmwares (though in Cisco's case they do offer digitally signed firmwares).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Even juniper offers md5/sha checksum for there images files.
PCNSE
NSE
StrongSwan
I don't know much about RSA signatures and google wasn't my friend today.
Is this a fair summary:
- Given any MD5 hash, it's possible to alter the image and still match the hash, but MD5 is a reasonable tool to quickly check for transmission errors;
- The images have RSA signatures. These are checked by the unit when loaded eg syslog "The image does have a valid RSA signature". This would detect both transmission error or an altered image.
- Hence the combination of the two covers both accident and malice?
Does the image fail to load if the signature check fails?
Can the signature be verified other than loading it into hardware?
journeyman wrote:Does the image fail to load if the signature check fails?
Can the signature be verified other than loading it into hardware?
From my own experience, the firmware still loads, but I do see "image has an invalid RSA signature" or similar message (via console/putty session) while the Fortigate boots up.
I do not think so -- at least not by any public accessible tool.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I don't know much about RSA signatures and google wasn't my friend today. Is this a fair summary: - Given any MD5 hash, it's possible to alter the image and still match the hash, but MD5 is a reasonable tool to quickly check for transmission errors;
No , that's the purpose of the md5 hash, could the hash match something else ( collisions ) yes, the probability is yet to be determine. A few Chinese math genius have computed this. You hash the file, you will get the same hash over and over again.
- The images have RSA signatures. These are checked by the unit when loaded eg syslog "The image does have a valid RSA signature". This would detect both transmission error or an altered image. - Hence the combination of the two covers both accident and malice? Does the image fail to load if the signature check fails? Can the signature be verified other than loading it into hardware?
Where are you finding the RSA signatures at? I never seen a RSA sign public-available for any fortinet images. The checksum check provides the checksum for all images, but none are a RSA.sign. I could be wrong but that's what I know.
Cisco and Juniper both do not provide pubic rsa.sign for there images. Both they do provide md5 ( cisco+juniper ) and sha hashes ( juniper). So the probability of any corruption could be checked via both hashes if available. If you doubt the md5 hash , you could open a ticket and have support compute the sha1 or other sha hash.
or
If they are in a good mode, they could craft a rsa.sign , provide you the hashed rsa.sig and you could compare. I'm only guessing here ( I never tried YMMV )
IMHO, if you download via a secured HTTPs site from fortinet directly. Didn't use FTP, and compare the md5 hash. Than you should be okay.
PCNSE
NSE
StrongSwan
You hash the file, you will get the same hash over and over again.Yes, but MD5 is broken. Given a file and it's md5 hash, you can make changes to the file in such a way that the hash remains the same ie md5(F1) = md5(F2) - so the hash fails its job. My point is that this is malicious and for an accidental change to the file the risk of the hash matching must be negligible (although still non-zero).
if you download via a secured HTTPs site from fortinet directly. [..] you should be okayAgreed. But if you're concerned about malice I think the original poster's point remains valid.. unless the RSA signature protects against any modification. It would however be nice to know the image was sound before loading it.
Where are you finding the RSA signatures at?The unit itself reports about the RSA via syslog during a firmware update:
msg="[..] loaded an image [..] The new image does have a valid RSA signature."
Yes, but MD5 is broken. Given a file and it's md5 hash, you can make changes to the file in such a way that the hash remains the same ie md5(F1) = md5(F2) - so the hash fails its job. My point is that this is malicious and for an accidental change to the file the risk of the hash matching must be negligible (although still non-zero).
Can you actually demonstrated this? You have proof such as a ; study or cases or white-paper? Or are you speculating ?
If you modify a file, the resulting hash will always be "changed", there's no way around this, regardless if it's md5 , sha1 or sha256.
If fortinet would provide more than 1 hash in the same fashion as juniper or heck a hash+sign like with our linux kernels sources;) , than your fears would be squash. Current practices for file sanity checks is to use SHA2 or better but half of the world has not move this way due to the md5 being readily available or known. Even tehe various us.gov hve moved away from md5/sha1 but we are talking about a gov agency with classified or TS data, we are talking bout a firmware image running an appliance ( a very big difference )
Funny thing as I'm writting this reply, the ftp/http linux kernel sources have been providing 2 forms of hash and a sign for decades to include a change-log details and have used SHA2 . Maybe the mfg'er & vendors should be using linux-kernel concept for setting the example ;)
So it strange none of the major security vendors have deployed this, or see this a big security risk or the sky if falling.
note: I 'm a pfsense user and test and even pfsense distributions deploys a md5 and sha256 hash for ALL of there builds but no rsa signatures
The unit itself reports about the RSA via syslog during a firmware update:
FWIW
So that means the all of the *.out binary has the rsa.sign included in the "firmware" that your questioning. So that would not be a 100% sure means for integrity check. If you where concern and want to scrutinize , than the signature should be externally craft after construction of the final binary & available for download and comparison. This is why I said, fortinet has NOT made public available rsa.sign for any of the firmware we receive.
So have anyone actually spoke up to Fortinet about the images delivery and the lack of signatures?And gotten there input ?
PCNSE
NSE
StrongSwan
http://en.wikipedia.org/wiki/MD5#Security says
The security of the MD5 hash function is severely compromised. [..]...it was also found to be possible to construct collisions between two files...
and gives references and examples.
I'm happy that md5 is enough for a downloaded image for my own purposes at least; it was the original post that questioned its use. I'm trying to understand what the built in RSA signature can and can not prove.
A collision is not what your describing here when you write the following, ( pay attention to the bold letterings ).
Yes, but MD5 is broken. Given a file and it's md5 hash, you can make changes to the file in such a way that the hash remains the same ie md5(F1) = md5(F2) - so the hash fails its job.
If you take a file that's hash with md5 or any other message-digest, you will not be able to modify it without changing the hash.
A collision is where "any two hash operations on "different" data will result in the same computed hash. A totally different issues.
This is why md4, md5 and sha0 have been determine to not be 100% reliable. The math genius and professors all calculating and performing analysis to determine if collision attacks exist in all algorithm. It's probably a matter of time before they find a flaw in sha2 for example ( probably decades or centuries ;)
That was what I was trying to point out, that what you wrote could be mistakenly Interpet is not correct!
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.