mirror of
https://github.com/restic/restic.git
synced 2025-03-30 00:00:14 +01:00
add changelog and update threat model
This commit is contained in:
Michael Eischer
parent
8d2d50d095
commit
37aa4f824f
2 changed files with 33 additions and 0 deletions
23
changelog/unreleased/issue-5291
Normal file
23
changelog/unreleased/issue-5291
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
Security: Mitigate attack on content-defined chunking algorithm
|
||||
|
||||
Restic uses [Rabin Fingerprints](https://restic.net/blog/2015-09-12/restic-foundation1-cdc/)
|
||||
for its content-defined chunker. The algorithm relies on a secret polynomial
|
||||
to split files into chunks.
|
||||
|
||||
As shown in the paper "[Chunking Attacks on File Backup Services using Content-Defined Chunking](https://eprint.iacr.org/2025/532.pdf)"
|
||||
by Boris Alexeev, Colin Percival and Yan X Zhang, an
|
||||
attacker that can observe chunk sizes for a known file can derive the secret
|
||||
polynomial. Knowledge of the polynomial might in some cases allow an attacker
|
||||
to check whether certain large files are stored in a repository.
|
||||
|
||||
A practical attack is nevertheless hard as restic merges multiple chunks into
|
||||
opaque pack files and by default processes multiple files in parallel. This
|
||||
likely prevents an attacker from matching pack files to the attacker-known file
|
||||
and thereby prevents the attack.
|
||||
|
||||
We have added a mitigation to restic, which randomizes how chunks are assembled
|
||||
into pack files. This prevents an attacker from guessing which chunks are part
|
||||
of a pack file and thereby prevents learning the chunk sizes.
|
||||
|
||||
https://github.com/restic/restic/issues/5291
|
||||
https://github.com/restic/restic/pull/5295
|
||||
|
|
@ -755,6 +755,16 @@ An adversary with read access to your backup storage location could:
|
|||
repository (please use strong passwords with sufficient entropy).
|
||||
- Infer which packs probably contain trees via file access patterns.
|
||||
- Infer the size of backups by using creation timestamps of repository objects.
|
||||
- As shown in the paper `Chunking Attacks on File Backup Services using Content-Defined Chunking <https://eprint.iacr.org/2025/532.pdf>`_
|
||||
by Boris Alexeev, Colin Percival and Yan X Zhang, an
|
||||
attacker that can observe chunk sizes created for a known file can derive the secret
|
||||
chunker polynomial. Knowledge of the polynomial might in some cases allow an
|
||||
attacker to check whether certain large files are stored in a repository.
|
||||
This has been mitigated in restic 0.18.0 by randomly assigning chunks to
|
||||
pack files, which prevents an attacker from learning the chunk sizes as the
|
||||
attacker can no longer determine to which file and which part of it a chunk belongs.
|
||||
See `#5295 <https://github.com/restic/restic/pull/5295>`_ for more details
|
||||
on the mitigation.
|
||||
|
||||
An adversary with network access could:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue