/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.txt
Gentoo

Contents of /xml/htdocs/proj/en/glep/glep-0059.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.3 - (hide annotations) (download)
Tue Oct 28 07:45:44 2008 UTC (5 years, 9 months ago) by robbat2
Branch: MAIN
Changes since 1.2: +4 -3 lines
File MIME type: text/plain
Fix headers.

1 cardoe 1.1 GLEP: 59
2     Title: Manifest2 hash policies and security implications
3 robbat2 1.3 Version: $Revision: 1.2 $
4     Last-Modified: $Date: 2008/10/22 17:59:43 $
5 cardoe 1.1 Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6     Status: Draft
7     Type: Standards Track
8     Content-Type: text/x-rst
9     Requires: 44
10     Created: October 2006
11 robbat2 1.3 Updated: November 2007, June 2008, July 2008, October 2008
12 cardoe 1.1 Updates: 44
13 robbat2 1.3 Post-History:
14 cardoe 1.1
15     Abstract
16     ========
17     While Manifest2 format allows multiple hashes, the question of which
18     checksums should be present, why, and the security implications of such
19     have never been resolved. This GLEP covers all of these issues, and
20     makes recommendations as to how to handle checksums both now, and in
21     future.
22    
23     Motivation
24     ==========
25     This GLEP is being written as part of the work on signing the Portage
26     tree, but is only tangentially related to the actual signing of
27     Manifests. Checksums present one possible weak point in the overall
28     security of the tree - and a comprehensive security plan is needed.
29    
30     Specification
31     =============
32     The bad news
33     ------------
34     First of all, I'd like to cover the bad news in checksum security.
35     A much discussed point, as been the simple question: What is the
36     security of multiple independent checksums on the same data?
37     The most common position (and indeed the one previously held by myself),
38     is that multiple checksums would be an increase in security, but we
39     could not provably quantify the amount of security this added.
40     The really bad news, is that this position is completely and utterly
41     wrong. Many of you will be aghast at this. There is extremely little
42     added security in multiple checksums [J04]. For any set of checksums,
43     the actual strength lies in that of the strongest checksum.
44    
45     How fast can MD5 be broken?
46     ---------------------------
47     For a general collision, not a pre-image attack, since the original
48     announcement by Wang et al [W04], the time required to break MD5 has
49     been massively reduced. Originally at 1 hour on a near-supercomputer
50     (IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has
51     gone down to less than in two years, to 17 seconds [K06a]!
52    
53     08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
54     03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
55     11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
56     03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
57     04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
58    
59     If we accept a factor of 800x as a sample of how much faster a checksum
60     may be broken over the course of 2 years (MD5 using the above data is
61     >2000x), then existing checksums do not stand a significant chance of
62     survival in the future. We should thus accept that whatever checksums we
63     are using today, will be broken in the near future, and plan as best as
64     possible. (A brief review [H04] of the present SHA1 attacks indicates an
65     improvement of ~600x in the same timespan).
66    
67     And for those that claim implementation of these procedures is not yet
68     feasible, see [K06b] for an application that can produce two
69     self-extracting .exe files, with identical MD5s, and whatever payload
70     you want.
71    
72     The good news
73     -------------
74     Of the checksums presently used by Manifest2, one stands close to being
75     completely broken: SHA1. The SHA2 series has suffered some attacks, but
76     still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160
77     have been published, however it is constructed in the same manner as
78     MD5, SHA1 and SHA2, so is also vulnerable to the new methods of
79     cryptanalysis [H04].
80    
81     To reduce the potential for future problems and any single checksum
82     break leading to a rapid decrease in security, we should incorporate the
83     strongest hash available from each family of checksums, and be prepared
84     to retire old checksums actively, unless there is a overriding reason to
85     keep a specific checksum.
86    
87     What should be done
88     -------------------
89     Portage should always try to verify all supported hashes that are
90     available in a Manifest2, starting with the strongest ones as maintained
91     by a preference list. Over time, the weaker checksums should be removed
92     from Manifest2 files, once all old Portage installations have had
93     sufficient time to upgrade. We should be prepared to add stronger
94     checksums wherever possible, and to remove those that have been
95     defeated.
96    
97     An unsupported hash is not considered to be a failure unless no
98     supported hashes are available.
99    
100     Checksum depreciation
101     ~~~~~~~~~~~~~~~~~~~~~
102     For the current Portage, SHA1 should be gradually removed, as presents
103     no advantages over SHA256. Beyond one specific problem (see the next
104     paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool
105     checksum (standardized checksum, with no known weaknesses). In future,
106     as stream-based checksums are developed (in response to the development
107     by NIST [AHS]), they should be considered and used.
108    
109     There is one temporary stumbling block at hand - the existing Portage
110     infrastructure does not support SHA384/512 or Whirlpool, thus hampering
111     their immediate acceptance. SHA512 is available in Python 2.5, while
112     SHA1 is already available in Python 2.4. After Python2.5 is established
113     in a Gentoo media release, that would be a suitable time to remove SHA1
114     from Manifest2 files.
115    
116     Backwards Compatibility
117     =======================
118     Old versions of Portage may support and expect only specific checksums.
119     This is accounted for in the checksum depreciation discussion.
120    
121     References
122     ==========
123    
124     [AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
125     (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/
126    
127     [BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
128     Efficiently Combining Collision Resistant Hash Functions"; Proceedings
129     of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
130     4117, pp. 570-583. Available online from:
131     http://crypto.stanford.edu/~dabo/abstracts/hashing.html
132    
133     [H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
134     Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
135     Report 2004/204. Available online from:
136     http://eprint.iacr.org/2004/207.pdf
137    
138 robbat2 1.2 [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
139     Functions - Application to Cascaded Constructions;" Proceedings of
140     CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
141     3152, pp. 306-316. Available online from:
142 cardoe 1.1 http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
143    
144     [K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
145     Within a Minute". Cryptology ePrint Archive, Report 2006/105.
146     Available online from: http://eprint.iacr.org/2006/105.pdf
147    
148     [K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
149     proof of concept tools". Available online from:
150     http://cryptography.hyperlink.cz/2006/trick.txt
151    
152     [K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
153     Cryptology ePrint Archive, Report 2008/003. Available online from:
154     http://eprint.iacr.org/2008/003.pdf
155    
156     [G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
157     Cryptology ePrint Archive, Report 2007/403. Available online from:
158     http://eprint.iacr.org/2007/403.pdf
159    
160     [W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
161     HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
162     Archive, Report 2004/199, first version (August 16, 2004), second
163     version (August 17, 2004). Available online from:
164     http://eprint.iacr.org/2004/199.pdf
165    
166     Thanks to
167     =========
168     I'd like to thank the following folks, in no specific order:
169     - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
170     and also being stubborn enough in not accepting a partial solution.
171     - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
172     (ferringb): for being knowledgeable about the Portage Manifest2
173     codebase.
174    
175     Copyright
176     =========
177     Copyright (c) 2006 by Robin Hugh Johnson. This material may be
178     distributed only subject to the terms and conditions set forth in the
179     Open Publication License, v1.0.
180    
181     vim: tw=72 ts=2 expandtab:

  ViewVC Help
Powered by ViewVC 1.1.20