Skip to content

Commit

Permalink
explain why we check hashes before signatures
Browse files Browse the repository at this point in the history 
Signed-off-by: Trishank Karthik Kuppusamy <[email protected]>
  • Loading branch information
@trishankatdatadog
trishankatdatadog committed Dec 11, 2020
1 parent fd85a8a commit 320ba2f
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions tuf-spec.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1218,9 +1218,11 @@ the timestamp metadata file.
* **5.4.1**. **Check against timestamp role's snapshot hash.** The hashes
of the new snapshot metadata file MUST match the hashes, if any, listed in
the trusted timestamp metadata. This is done, in part, to prevent a
mix-and-match attack by man-in-the-middle attackers. If the hashes do not
match, discard the new snapshot metadata, abort the update cycle, and report
the failure.
mix-and-match attack by man-in-the-middle attackers. It is safe to check the
hashes before the signatures, because the hashes comes from the timestamp
role, which we have already verified in the previous step; it is also a quick
way to reject bad metadata. If the hashes do not match, discard the
new snapshot metadata, abort the update cycle, and report the failure.

* **5.4.2**. **Check for an arbitrary software attack.** The new snapshot
metadata file MUST have been signed by a threshold of keys specified in the
Expand Down Expand Up @@ -1265,9 +1267,11 @@ snapshot metadata file.
* **5.5.1**. **Check against snapshot role's targets hash.** The hashes
of the new targets metadata file MUST match the hashes, if any, listed in the
trusted snapshot metadata. This is done, in part, to prevent a mix-and-match
attack by man-in-the-middle attackers. If the new targets metadata file does
not match, discard the new target metadata, abort the update cycle, and
report the failure.
attack by man-in-the-middle attackers. It is safe to check the hashes before
the signatures, because the hashes comes from the snapshot role, which we have
already verified in the previous step; it is also a quick way to reject bad
metadata. If the new targets metadata file does not match, discard the new
target metadata, abort the update cycle, and report the failure.

* **5.5.2**. **Check for an arbitrary software attack.** The new targets
metadata file MUST have been signed by a threshold of keys specified in the
Expand Down

0 comments on commit 320ba2f

Please sign in to comment.