mirror of
https://github.com/restic/restic.git
synced 2025-07-29 00:33:36 +00:00
25 lines
1.3 KiB
Plaintext
25 lines
1.3 KiB
Plaintext
Security: Mitigate attack on content-defined chunking algorithm
|
|
|
|
Restic uses [Rabin Fingerprints](https://restic.net/blog/2015-09-12/restic-foundation1-cdc/)
|
|
for its content-defined chunker. The algorithm relies on a secret polynomial
|
|
to split files into chunks.
|
|
|
|
As shown in the paper "[Chunking Attacks on File Backup Services using Content-Defined Chunking](https://eprint.iacr.org/2025/532.pdf)"
|
|
by Boris Alexeev, Colin Percival and Yan X Zhang, an
|
|
attacker that can observe chunk sizes for a known file can derive the secret
|
|
polynomial. Knowledge of the polynomial might in some cases allow an attacker
|
|
to check whether certain large files are stored in a repository.
|
|
|
|
A practical attack is nevertheless hard as restic merges multiple chunks into
|
|
opaque pack files and by default processes multiple files in parallel. This
|
|
likely prevents an attacker from matching pack files to the attacker-known file
|
|
and thereby prevents the attack.
|
|
|
|
Despite the low chances of a practical attack, restic now has added mitigation
|
|
that randomizes how chunks are assembled into pack files. This prevents attackers
|
|
from guessing which chunks are part of a pack file and thereby prevents learning
|
|
the chunk sizes.
|
|
|
|
https://github.com/restic/restic/issues/5291
|
|
https://github.com/restic/restic/pull/5295
|