A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?
The most effective way to mitigate the vulnerability caused by hash collisions in this scenario is to replace the current MD5 hash function with SHA-256. SHA-256 is significantly more resistant to collision attacks compared to MD5. This change directly addresses the primary issue with hash collisions while requiring minimal modifications to the existing script and infrastructure. By simply updating the hash function, the application can continue to operate with increased security without necessitating extensive alterations or additional components.
Seems correct This option involves changing the hash algorithm from the vulnerable MD5 to the more secure SHA-256. It addresses the hash collision vulnerability directly and doesn't require major changes to the existing infrastructure or script logic.
Replacing MD5 with digital signatures is a significant change that involves implementing a different authentication mechanism, but with SHA-256 is more straightforward and effective solution to mitigate the vulnerability while minimizing disruption to the current system.
D. Replace the MD5 with digital signatures. Here's why: MD5 to Digital Signatures: Replacing MD5 with digital signatures is a more secure approach to verify the authenticity and integrity of files. Digital signatures provide a higher level of security and are less prone to collision attacks compared to hash functions like MD5. This change can be made within the script itself without major infrastructure changes. Few Changes: This option minimizes changes to the current script and infrastructure. It involves replacing the hashing mechanism within the script while keeping the overall architecture intact.
Using digital signatures could enhance security, but this approach requires more extensive changes to the infrastructure and script. Digital signatures involve a cryptographic key pair (private and public keys), which complicates the implementation compared to simply updating the hash function.
SHA-256 can prevent hash collisions which less changes than implementing digital signatures.
SHA-256 is collision attacks resistant
Had it not said "with the fewest changes to the current script and infrastructure?" I would absolutely say D. D would elliminate the positbilities of collisions in the future, but it also requires more changes to the script infrastructure than B. So based on specifically what is being asked I would say B