[Owasp-file-hash-repository] [Owasp-leaders] New OWASP project

Lucas Ferreira lucas.ferreira at owasp.org
Tue Nov 1 08:43:43 EDT 2011


Hello Azzeddine,

I am using MD5 for a few reasons:

1. It is most widely available. As most sources of file hashes include
MD5, there was a need to include it. Please note that I am not only
generating hashes for known files. I am also collecting hashes from
knowledgeble sources, such as NIST, SANS, etc.

2. The database also includes SHA-1 when possible, so the user can
decide which hash to use, or both.

3. The database also includes the file size. AFAIK, current collision
attacks do not preserve the file size.

Your other questions are answered inline below.

Best Regards,

Lucas

On Tue, Nov 1, 2011 at 10:16, Azzeddine Ramrami
<azzeddine.ramrami at owasp.org> wrote:
>
> Hi,
> I find this project and idea very interesting. This is project is not like Tripwire because it is not an HIDS.
> Why MD5 ? This has function is not still secure.
> Questions :
> - how this project can ensure the integrity of the has itself ?

Good question. The database has no mechanism to ensure the integrity
of the hashes. Maybe we need to think of an attack model to define the
best protection mechanisms.

> - how this project can ensure the integrity of the stored files if it is the case ?

The files are not stored by the project. We only store the hashes.

> Regards,
> Azzeddine
>
>
> On Tue, Nov 1, 2011 at 12:58 PM, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:
>>
>> Sorry to come back again, but I have to correct that Google safe
>> browsing database IS available for download. Kudos to them.
>>
>> Regards,
>>
>> Lucas
>>
>> On Tue, Nov 1, 2011 at 09:37, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:
>> > Hello all,
>> >
>> > I'll hijack Michael's email to answer all previous emails in this
>> > thread. If I left anything out, please remind me and I'll do my best
>> > to provide a suitable answer.
>> >
>> > First, I also had doubts if this project would fit in OWASP. I then
>> > talked to some OWASPers and the conclusion was that it should be given
>> > a try. I then submitted the project proposal to the Global Projects
>> > Committee and it was approved.
>> >
>> > Second, I understand that this project is not directly linked to web
>> > or application security, but I think it could be used in web or
>> > application security tasks. As Dinis pointed out, there is the
>> > possibility of using the database to validate scripts or libraries in
>> > a convergence-inspired way. A web crawler could be used to check web
>> > pages and downloads, as pointed by Christian.
>> >
>> > In any case, if the OWASP community thinks this project does not
>> > belong here, I can withdraw it. No problems with that at all. So far,
>> > opinions are divided, so I'd ask the Projects Committee to take care
>> > of this and warn me if the project needs to be taken off OWASP.
>> >
>> > Answering more specific concerns:
>> >
>> > Christian, the list of data sources for the projects database is not
>> > closed. If you know a good source of hash data of web-related files,
>> > please let me know and I'll manage to include them. Regarding
>> > including tripwire-like functionality, it can be done. We need to
>> > finish writing some code to allow users to upload data to the database
>> > and also  a web crawler. I will post a roadmap soon. Regarding Google
>> > safe browsing, their approach is to work with URLs. We work with file
>> > contents. I think the approaches are complementary. The problem I see
>> > with Google is that their database is not open, as far as I know. Our
>> > database should be available to anyone to copy or query.
>> >
>> > Mark, I am aware of the MD5 collision attacks. That's why the project
>> > includes SHA-1 hashes too. Also, the use of both hashes combined seems
>> > beyond current attacks. Please note that the hashes are not stored
>> > with the files. Our database only includes the hashes. The process
>> > would be for someone to get the file, calculate the hashes and then
>> > check the hashes against the database.
>> >
>> > Well, thanks everyone for the attention and please excuse me if I
>> > caused any trouble.
>> >
>> > Regards,
>> >
>> > Lucas
>> >
>> > On Tue, Nov 1, 2011 at 02:48, Michael Coates <michael.coates at owasp.org> wrote:
>> >> This has been an interesting discussion and its a good sign that the
>> >> community is weighing in with various view points.
>> >>
>> >> I'd like to present a few thoughts for people to consider.
>> >> OWASP is built on top of a community of volunteers that are experts in their
>> >> respective fields. Our guides, tools, resources, outreach, conferences (and
>> >> more) are excellent because talented people have dedicated their time and
>> >> skills.
>> >> One of the great things that OWASP works towards is making OWASP a platform
>> >> that is easy for anyone to contribute their time and effort.  A model that
>> >> requires approval from a centralized body before a project could be started
>> >> would be a very different model than what we have now and one that I think
>> >> would diminish the successes of our community.
>> >> In the end, good ideas will flourish and attract more participation and also
>> >> more support from OWASP overall.  However, its very hard to know what the
>> >> next great idea is unless we experiment with bright minds in a variety of
>> >> areas.
>> >> With that, I say best of luck to this new project and any others that are
>> >> inline with the principles of OWASP.
>> >>
>> >>
>> >>
>> >> --
>> >> Michael Coates
>> >> OWASP
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Homo sapiens non urinat in ventum.
>> >
>>
>>
>>
>> --
>> Homo sapiens non urinat in ventum.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



--
Homo sapiens non urinat in ventum.


More information about the Owasp-file-hash-repository mailing list