/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0059.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.3 Revision 1.10
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 3<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 4
5<head> 5<head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" /> 7 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 <title>GLEP 59 -- Manifest2 hash policies and security implications</title> 8 <title>GLEP 59 -- Manifest2 hash policies and security implications</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> 9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10<body bgcolor="white"> 10<body bgcolor="white">
11<table class="navigation" cellpadding="0" cellspacing="0" 11<table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0"> 12 width="100%" border="0">
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">59</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">59</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.7</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2008/10/28 07:45:44</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2010/02/02 05:49:27</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
37</tr> 37</tr>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a></td> 42<tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a></td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td> 44<tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td>
45</tr> 45</tr>
46<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008</td> 46<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td>
47</tr> 47</tr>
48<tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td> 48<tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td>
49</tr> 49</tr>
50<tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td> 50<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009, January 2010</td>
51</tr> 51</tr>
52</tbody> 52</tbody>
53</table> 53</table>
54<hr /> 54<hr />
55<div class="contents topic" id="contents"> 55<div class="contents topic" id="contents">
59<li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li> 59<li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li>
60<li><a class="reference internal" href="#specification" id="id3">Specification</a><ul> 60<li><a class="reference internal" href="#specification" id="id3">Specification</a><ul>
61<li><a class="reference internal" href="#the-bad-news" id="id4">The bad news</a></li> 61<li><a class="reference internal" href="#the-bad-news" id="id4">The bad news</a></li>
62<li><a class="reference internal" href="#how-fast-can-md5-be-broken" id="id5">How fast can MD5 be broken?</a></li> 62<li><a class="reference internal" href="#how-fast-can-md5-be-broken" id="id5">How fast can MD5 be broken?</a></li>
63<li><a class="reference internal" href="#the-good-news" id="id6">The good news</a></li> 63<li><a class="reference internal" href="#the-good-news" id="id6">The good news</a></li>
64<li><a class="reference internal" href="#what-should-be-done" id="id7">What should be done</a><ul> 64<li><a class="reference internal" href="#what-should-be-done" id="id7">What should be done</a></li>
65<li><a class="reference internal" href="#checksum-depreciation" id="id8">Checksum depreciation</a></li> 65<li><a class="reference internal" href="#checksum-depreciation-timing" id="id8">Checksum depreciation timing</a><ul>
66<li><a class="reference internal" href="#general-principles" id="id9">General principles:</a></li>
67<li><a class="reference internal" href="#immediate-plans" id="id10">Immediate plans:</a></li>
66</ul> 68</ul>
67</li> 69</li>
68</ul> 70</ul>
69</li> 71</li>
70<li><a class="reference internal" href="#backwards-compatibility" id="id9">Backwards Compatibility</a></li> 72<li><a class="reference internal" href="#backwards-compatibility" id="id11">Backwards Compatibility</a></li>
71<li><a class="reference internal" href="#references" id="id10">References</a></li> 73<li><a class="reference internal" href="#references" id="id12">References</a></li>
72<li><a class="reference internal" href="#thanks-to" id="id11">Thanks to</a></li> 74<li><a class="reference internal" href="#thanks-to" id="id13">Thanks to</a></li>
73<li><a class="reference internal" href="#copyright" id="id12">Copyright</a></li> 75<li><a class="reference internal" href="#copyright" id="id14">Copyright</a></li>
74</ul> 76</ul>
75</div> 77</div>
76<div class="section" id="abstract"> 78<div class="section" id="abstract">
77<h1><a class="toc-backref" href="#id1">Abstract</a></h1> 79<h1><a class="toc-backref" href="#id1">Abstract</a></h1>
78<p>While Manifest2 format allows multiple hashes, the question of which 80<p>While Manifest2 format allows multiple hashes, the question of which
85<h1><a class="toc-backref" href="#id2">Motivation</a></h1> 87<h1><a class="toc-backref" href="#id2">Motivation</a></h1>
86<p>This GLEP is being written as part of the work on signing the Portage 88<p>This GLEP is being written as part of the work on signing the Portage
87tree, but is only tangentially related to the actual signing of 89tree, but is only tangentially related to the actual signing of
88Manifests. Checksums present one possible weak point in the overall 90Manifests. Checksums present one possible weak point in the overall
89security of the tree - and a comprehensive security plan is needed.</p> 91security of the tree - and a comprehensive security plan is needed.</p>
92<p>This GLEP is not mandatory for the tree-signing specification, but
93instead aims to improve the security of the hashes used in Manifest2.
94As such, it is also able to stand on it's own.</p>
90</div> 95</div>
91<div class="section" id="specification"> 96<div class="section" id="specification">
92<h1><a class="toc-backref" href="#id3">Specification</a></h1> 97<h1><a class="toc-backref" href="#id3">Specification</a></h1>
93<div class="section" id="the-bad-news"> 98<div class="section" id="the-bad-news">
94<h2><a class="toc-backref" href="#id4">The bad news</a></h2> 99<h2><a class="toc-backref" href="#id4">The bad news</a></h2>
98The most common position (and indeed the one previously held by myself), 103The most common position (and indeed the one previously held by myself),
99is that multiple checksums would be an increase in security, but we 104is that multiple checksums would be an increase in security, but we
100could not provably quantify the amount of security this added. 105could not provably quantify the amount of security this added.
101The really bad news, is that this position is completely and utterly 106The really bad news, is that this position is completely and utterly
102wrong. Many of you will be aghast at this. There is extremely little 107wrong. Many of you will be aghast at this. There is extremely little
103added security in multiple checksums [J04]. For any set of checksums, 108added security in multiple checksums as noted by Joux [J04]. For any set
104the actual strength lies in that of the strongest checksum.</p> 109of checksums, the actual strength lies in that of the strongest
110checksum.</p>
111<p>Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
112HAVAL-128 and RIPEMD families of hashes.</p>
105</div> 113</div>
106<div class="section" id="how-fast-can-md5-be-broken"> 114<div class="section" id="how-fast-can-md5-be-broken">
107<h2><a class="toc-backref" href="#id5">How fast can MD5 be broken?</a></h2> 115<h2><a class="toc-backref" href="#id5">How fast can MD5 be broken?</a></h2>
108<p>For a general collision, not a pre-image attack, since the original 116<p>For a general collision, not a pre-image attack, since the announcement
109announcement by Wang et al [W04], the time required to break MD5 has 117by Wang et al [W04], the time required to break MD5 has been massively
110been massively reduced. Originally at 1 hour on a near-supercomputer 118reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
111(IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has 119estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
112gone down to less than in two years, to 17 seconds [K06a]!</p> 120less than in two years, to 17 seconds [K06a].</p>
121<ul class="simple">
113<p>08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours 122<li>08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours</li>
11403/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours 123<li>03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours</li>
11511/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours 124<li>11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours</li>
11603/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours 125<li>03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours</li>
11704/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours</p> 126<li>04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours</li>
127</ul>
118<p>If we accept a factor of 800x as a sample of how much faster a checksum 128<p>If we accept a factor of 800x as a sample of how much faster a checksum
119may be broken over the course of 2 years (MD5 using the above data is 129may be broken over the course of 2 years (MD5 using the above data is
120&gt;2000x), then existing checksums do not stand a significant chance of 130&gt;2000x), then existing checksums do not stand a significant chance of
121survival in the future. We should thus accept that whatever checksums we 131survival in the future. We should thus accept that whatever checksums we
122are using today, will be broken in the near future, and plan as best as 132are using today, will be broken in the near future, and plan as best as
123possible. (A brief review [H04] of the present SHA1 attacks indicates an 133possible. (A brief review [H04] of the SHA1 attacks indicates an
124improvement of ~600x in the same timespan).</p> 134improvement of ~600x in the same timespan).</p>
125<p>And for those that claim implementation of these procedures is not yet 135<p>And for those that claim implementation of these procedures is not yet
126feasible, see [K06b] for an application that can produce two 136feasible, see [K06b] for an application that can produce two
127self-extracting .exe files, with identical MD5s, and whatever payload 137self-extracting EXE files, with identical MD5s, and whatever payload you
128you want.</p> 138want.</p>
129</div> 139</div>
130<div class="section" id="the-good-news"> 140<div class="section" id="the-good-news">
131<h2><a class="toc-backref" href="#id6">The good news</a></h2> 141<h2><a class="toc-backref" href="#id6">The good news</a></h2>
132<p>Of the checksums presently used by Manifest2, one stands close to being 142<p>Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
133completely broken: SHA1. The SHA2 series has suffered some attacks, but 143one stands close to being completely broken: SHA1; and another is
134still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160 144significantly weakened: RIPEMD160. The SHA2 series has suffered some
135have been published, however it is constructed in the same manner as 145attacks, but still remains reasonably solid [G07],[K08].</p>
136MD5, SHA1 and SHA2, so is also vulnerable to the new methods of
137cryptanalysis [H04].</p>
138<p>To reduce the potential for future problems and any single checksum 146<p>To reduce the potential for future problems and any single checksum
139break leading to a rapid decrease in security, we should incorporate the 147break leading to a rapid decrease in security, we should incorporate the
140strongest hash available from each family of checksums, and be prepared 148strongest hash available from each family of checksums, and be prepared
141to retire old checksums actively, unless there is a overriding reason to 149to retire old checksums actively, unless there is a overriding reason to
142keep a specific checksum.</p> 150keep a specific checksum, such as part of a migration plan.</p>
143</div> 151</div>
144<div class="section" id="what-should-be-done"> 152<div class="section" id="what-should-be-done">
145<h2><a class="toc-backref" href="#id7">What should be done</a></h2> 153<h2><a class="toc-backref" href="#id7">What should be done</a></h2>
146<p>Portage should always try to verify all supported hashes that are 154<p>Portage should always try to verify all supported hashes that are
147available in a Manifest2, starting with the strongest ones as maintained 155available in a Manifest2, starting with the strongest ones as maintained
148by a preference list. Over time, the weaker checksums should be removed 156by a preference list. Over time, the weaker checksums should be removed
149from Manifest2 files, once all old Portage installations have had 157from Manifest2 files, once all old Portage installations have had
150sufficient time to upgrade. We should be prepared to add stronger 158sufficient time to upgrade. Stronger checksums shall be added as soon as
151checksums wherever possible, and to remove those that have been 159an implementation is available in Portage. Weak checksums may be removed
152defeated.</p> 160as long as the depreciation process is followed (see below).</p>
161<p>As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
162In future, as stream-based checksums are developed (in response to the
163development by NIST [AHS]), they should be considered and used.</p>
164<p>The SHA512 algorithm is available in Python 2.5, which has been a
165dependency of Portage since approximately Portage 2.1.6.13.</p>
166<p>The WHIRLPOOL checksum is not available within the PyCrypto library or
167hashlib that is part of Python 2.5, but there are multiple alternative
168Python implementations available, ranging from pure Python to C-based
169(python-mhash).</p>
153<p>An unsupported hash is not considered to be a failure unless no 170<p>The existence unsupported hash is not considered to be a failure unless
154supported hashes are available.</p> 171no supported hashes are available for a given Manifest entry.</p>
172</div>
155<div class="section" id="checksum-depreciation"> 173<div class="section" id="checksum-depreciation-timing">
156<h3><a class="toc-backref" href="#id8">Checksum depreciation</a></h3> 174<h2><a class="toc-backref" href="#id8">Checksum depreciation timing</a></h2>
157<p>For the current Portage, SHA1 should be gradually removed, as presents 175<div class="section" id="general-principles">
158no advantages over SHA256. Beyond one specific problem (see the next 176<h3><a class="toc-backref" href="#id9">General principles:</a></h3>
159paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool 177<p>A minimum set of depreciated checksums shall be maintained only to
160checksum (standardized checksum, with no known weaknesses). In future, 178support old package manager versions where needed by historically used
161as stream-based checksums are developed (in response to the development 179trees:</p>
162by NIST [AHS]), they should be considered and used.</p> 180<ul class="simple">
163<p>There is one temporary stumbling block at hand - the existing Portage 181<li>New package manager versions should NOT use depreciated checksums in</li>
164infrastructure does not support SHA384/512 or Whirlpool, thus hampering 182<li>New trees with that have never used the depreciated checksums may omit
165their immediate acceptance. SHA512 is available in Python 2.5, while 183them for reasons of size, but are still strongly suggested to include
166SHA1 is already available in Python 2.4. After Python2.5 is established 184them.</li>
167in a Gentoo media release, that would be a suitable time to remove SHA1 185<li>Removal of depreciated checksums shall happen after no less than 18
168from Manifest2 files.</p> 186months or one major Portage version cycle, whichever is greater.</li>
187</ul>
188</div>
189<div class="section" id="immediate-plans">
190<h3><a class="toc-backref" href="#id10">Immediate plans:</a></h3>
191<p>For the current Portage, both SHA1 and RIPEMD160 should be immediately
192removed, as they present no advantages over the already present SHA256.
193SHA256 cannot be replaced immediately with SHA512, as existing Portage
194versions need at least one supported algorithm present (SHA256 support
195was added in June 2006), so it must be retained for some while.</p>
196<p>Immediately:</p>
197<ul class="simple">
198<li>Add WHIRLPOOL and SHA512.</li>
199<li>Remove SHA1 and RIPEMD160.</li>
200</ul>
201<p>After the majority of Portage installations include SHA512 support:</p>
202<ul class="simple">
203<li>Remove SHA256.</li>
204</ul>
169</div> 205</div>
170</div> 206</div>
171</div> 207</div>
172<div class="section" id="backwards-compatibility"> 208<div class="section" id="backwards-compatibility">
173<h1><a class="toc-backref" href="#id9">Backwards Compatibility</a></h1> 209<h1><a class="toc-backref" href="#id11">Backwards Compatibility</a></h1>
174<p>Old versions of Portage may support and expect only specific checksums. 210<p>Old versions of Portage may support and expect only specific checksums.
175This is accounted for in the checksum depreciation discussion.</p> 211This is accounted for in the checksum depreciation discussion.</p>
212<p>For maximum compatiability, we should only have to include each of the
213old algorithms that we are officially still supporting, as well as the
214new ones that we prefer.</p>
176</div> 215</div>
177<div class="section" id="references"> 216<div class="section" id="references">
178<h1><a class="toc-backref" href="#id10">References</a></h1> 217<h1><a class="toc-backref" href="#id12">References</a></h1>
179<dl class="docutils"> 218<dl class="docutils">
180<dt>[AHS] NIST (2007). &quot;NIST's Plan for New Cryptographic Hash Functions&quot;,</dt> 219<dt>[AHS] NIST (2007). &quot;NIST's Plan for New Cryptographic Hash Functions&quot;,</dt>
181<dd>(Advanced Hash Standard). <a class="reference external" href="http://csrc.nist.gov/pki/HashWorkshop/">http://csrc.nist.gov/pki/HashWorkshop/</a></dd> 220<dd>(Advanced Hash Standard). <a class="reference external" href="http://csrc.nist.gov/pki/HashWorkshop/">http://csrc.nist.gov/pki/HashWorkshop/</a></dd>
182<dt>[BOBO06] Boneh, D. and Boyen, X. (2006). &quot;On the Impossibility of</dt> 221<dt>[BOBO06] Boneh, D. and Boyen, X. (2006). &quot;On the Impossibility of</dt>
183<dd>Efficiently Combining Collision Resistant Hash Functions&quot;; Proceedings 222<dd>Efficiently Combining Collision Resistant Hash Functions&quot;; Proceedings
211version (August 17, 2004). Available online from: 250version (August 17, 2004). Available online from:
212<a class="reference external" href="http://eprint.iacr.org/2004/199.pdf">http://eprint.iacr.org/2004/199.pdf</a></dd> 251<a class="reference external" href="http://eprint.iacr.org/2004/199.pdf">http://eprint.iacr.org/2004/199.pdf</a></dd>
213</dl> 252</dl>
214</div> 253</div>
215<div class="section" id="thanks-to"> 254<div class="section" id="thanks-to">
216<h1><a class="toc-backref" href="#id11">Thanks to</a></h1> 255<h1><a class="toc-backref" href="#id13">Thanks to</a></h1>
217<dl class="docutils"> 256<dl class="docutils">
218<dt>I'd like to thank the following folks, in no specific order:</dt> 257<dt>I'd like to thank the following folks, in no specific order:</dt>
219<dd><ul class="first last simple"> 258<dd><ul class="first last simple">
220<li>Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper, 259<li>Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
221and also being stubborn enough in not accepting a partial solution.</li> 260and also being stubborn enough in not accepting a partial solution.</li>
225</ul> 264</ul>
226</dd> 265</dd>
227</dl> 266</dl>
228</div> 267</div>
229<div class="section" id="copyright"> 268<div class="section" id="copyright">
230<h1><a class="toc-backref" href="#id12">Copyright</a></h1> 269<h1><a class="toc-backref" href="#id14">Copyright</a></h1>
231<p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be 270<p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
232distributed only subject to the terms and conditions set forth in the 271distributed only subject to the terms and conditions set forth in the
233Open Publication License, v1.0.</p> 272Open Publication License, v1.0.</p>
234<p>vim: tw=72 ts=2 expandtab:</p> 273<p>vim: tw=72 ts=2 expandtab:</p>
235</div> 274</div>
236 275
237</div> 276</div>
238<div class="footer"> 277<div class="footer">
239<hr class="footer" /> 278<hr class="footer" />
240<a class="reference external" href="glep-0059.txt">View document source</a>. 279<a class="reference external" href="glep-0059.txt">View document source</a>.
241Generated on: 2008-10-28 07:47 UTC. 280Generated on: 2010-02-07 10:37 UTC.
242Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 281Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
243 282
244</div> 283</div>
245</body> 284</body>
246</html> 285</html>

Legend:
Removed from v.1.3  
changed lines
  Added in v.1.10

  ViewVC Help
Powered by ViewVC 1.1.20