mirror of
https://github.com/restic/restic.git
synced 2025-03-30 00:00:14 +01:00
add changelog and update threat model
This commit is contained in:
parent
8d2d50d095
commit
37aa4f824f
2 changed files with 33 additions and 0 deletions
23
changelog/unreleased/issue-5291
Normal file
23
changelog/unreleased/issue-5291
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
Security: Mitigate attack on content-defined chunking algorithm
|
||||||
|
|
||||||
|
Restic uses [Rabin Fingerprints](https://restic.net/blog/2015-09-12/restic-foundation1-cdc/)
|
||||||
|
for its content-defined chunker. The algorithm relies on a secret polynomial
|
||||||
|
to split files into chunks.
|
||||||
|
|
||||||
|
As shown in the paper "[Chunking Attacks on File Backup Services using Content-Defined Chunking](https://eprint.iacr.org/2025/532.pdf)"
|
||||||
|
by Boris Alexeev, Colin Percival and Yan X Zhang, an
|
||||||
|
attacker that can observe chunk sizes for a known file can derive the secret
|
||||||
|
polynomial. Knowledge of the polynomial might in some cases allow an attacker
|
||||||
|
to check whether certain large files are stored in a repository.
|
||||||
|
|
||||||
|
A practical attack is nevertheless hard as restic merges multiple chunks into
|
||||||
|
opaque pack files and by default processes multiple files in parallel. This
|
||||||
|
likely prevents an attacker from matching pack files to the attacker-known file
|
||||||
|
and thereby prevents the attack.
|
||||||
|
|
||||||
|
We have added a mitigation to restic, which randomizes how chunks are assembled
|
||||||
|
into pack files. This prevents an attacker from guessing which chunks are part
|
||||||
|
of a pack file and thereby prevents learning the chunk sizes.
|
||||||
|
|
||||||
|
https://github.com/restic/restic/issues/5291
|
||||||
|
https://github.com/restic/restic/pull/5295
|
|
@ -755,6 +755,16 @@ An adversary with read access to your backup storage location could:
|
||||||
repository (please use strong passwords with sufficient entropy).
|
repository (please use strong passwords with sufficient entropy).
|
||||||
- Infer which packs probably contain trees via file access patterns.
|
- Infer which packs probably contain trees via file access patterns.
|
||||||
- Infer the size of backups by using creation timestamps of repository objects.
|
- Infer the size of backups by using creation timestamps of repository objects.
|
||||||
|
- As shown in the paper `Chunking Attacks on File Backup Services using Content-Defined Chunking <https://eprint.iacr.org/2025/532.pdf>`_
|
||||||
|
by Boris Alexeev, Colin Percival and Yan X Zhang, an
|
||||||
|
attacker that can observe chunk sizes created for a known file can derive the secret
|
||||||
|
chunker polynomial. Knowledge of the polynomial might in some cases allow an
|
||||||
|
attacker to check whether certain large files are stored in a repository.
|
||||||
|
This has been mitigated in restic 0.18.0 by randomly assigning chunks to
|
||||||
|
pack files, which prevents an attacker from learning the chunk sizes as the
|
||||||
|
attacker can no longer determine to which file and which part of it a chunk belongs.
|
||||||
|
See `#5295 <https://github.com/restic/restic/pull/5295>`_ for more details
|
||||||
|
on the mitigation.
|
||||||
|
|
||||||
An adversary with network access could:
|
An adversary with network access could:
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue