diff --git a/changelog/unreleased/issue-5291 b/changelog/unreleased/issue-5291 new file mode 100644 index 000000000..f433d3e63 --- /dev/null +++ b/changelog/unreleased/issue-5291 @@ -0,0 +1,23 @@ +Security: Mitigate attack on content-defined chunking algorithm + +Restic uses [Rabin Fingerprints](https://restic.net/blog/2015-09-12/restic-foundation1-cdc/) +for its content-defined chunker. The algorithm relies on a secret polynomial +to split files into chunks. + +As shown in the paper "[Chunking Attacks on File Backup Services using Content-Defined Chunking](https://eprint.iacr.org/2025/532.pdf)" +by Boris Alexeev, Colin Percival and Yan X Zhang, an +attacker that can observe chunk sizes for a known file can derive the secret +polynomial. Knowledge of the polynomial might in some cases allow an attacker +to check whether certain large files are stored in a repository. + +A practical attack is nevertheless hard as restic merges multiple chunks into +opaque pack files and by default processes multiple files in parallel. This +likely prevents an attacker from matching pack files to the attacker-known file +and thereby prevents the attack. + +We have added a mitigation to restic, which randomizes how chunks are assembled +into pack files. This prevents an attacker from guessing which chunks are part +of a pack file and thereby prevents learning the chunk sizes. + +https://github.com/restic/restic/issues/5291 +https://github.com/restic/restic/pull/5295 diff --git a/doc/design.rst b/doc/design.rst index 62b7e9bf9..90b2d6002 100644 --- a/doc/design.rst +++ b/doc/design.rst @@ -755,6 +755,16 @@ An adversary with read access to your backup storage location could: repository (please use strong passwords with sufficient entropy). - Infer which packs probably contain trees via file access patterns. - Infer the size of backups by using creation timestamps of repository objects. +- As shown in the paper `Chunking Attacks on File Backup Services using Content-Defined Chunking `_ + by Boris Alexeev, Colin Percival and Yan X Zhang, an + attacker that can observe chunk sizes created for a known file can derive the secret + chunker polynomial. Knowledge of the polynomial might in some cases allow an + attacker to check whether certain large files are stored in a repository. + This has been mitigated in restic 0.18.0 by randomly assigning chunks to + pack files, which prevents an attacker from learning the chunk sizes as the + attacker can no longer determine to which file and which part of it a chunk belongs. + See `#5295 `_ for more details + on the mitigation. An adversary with network access could: