On Sat, Mar 31, 2007 at 12:10:53PM +0100, Colin MacDonald wrote:
> [ straight forward way to pass the RSA check with a borg client using
>   man-in-the-middle exploit ]

The issue here is two-fold:

    1) The client isn't verifying that the server is legitimate before
       sending information. One-way trust models will always be exploitable
       in the other direction.

    2) The RSA check proves only that the user has access to the client
       secret key. As the client secret key is distributed freely on public
       sites, this proof is technically worthless. The RSA check is only
       slightly better than the old reserved.c check, in that the technology
       used is more complicated, and therefore more obscure.

I think most people would readily understand the first, but may not
understand that the real problem is the second. Public key encryption
algorithms allow the client to prove it possesses a secret key,
without requiring the other agent to know it. This is all it provides.
No more, no less.

To prove this, consider the other approach to "cracking" the RSA
check: Extract the secret key from the public binaries. Even if the
module link order is randomized, and the symbol information stripped,
the client still contains the secret key, and still must access it
when presented with the RSA check. Tracing execution of the client, or
disassembling a stripped binary may be beyond many people. It is not
beyond all people. The secret key widely distributed in every blessed
Netrek client.

I don't think there is a way to provide full-proof protection against
clients that will may use the information sent by the server to their
advantage. The general answer is to restrict the information
sent. Netrek already does this to a fairly significant degree.



mark at mielke.cc / markm at ncf.ca / markm at nortel.com     __________________________
.  .  _  ._  . .   .__    .  . ._. .__ .   . . .__  | Neighbourhood Coder
|\/| |_| |_| |/    |_     |\/|  |  |_  |   |/  |_   | 
|  | | | | \ | \   |__ .  |  | .|. |__ |__ | \ |__  | Ottawa, Ontario, Canada

  One ring to rule them all, one ring to find them, one ring to bring them all
                       and in the darkness bind them...