en/glep/glep-0059.txt

GLEP: 59
Title: Manifest2 hash policies and security implications
Version: $Revision: 1.4 $
Last-Modified: $Date: 2010/01/13 03:26:53 $
Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
Status: Draft
Type: Standards Track
Content-Type: text/x-rst
Requires: 44
Created: October 2006
Updated: November 2007, June 2008, July 2008, October 2008, January 2010
Updates: 44
Post-History: December 2009, January 2010

Abstract
========
While Manifest2 format allows multiple hashes, the question of which
checksums should be present, why, and the security implications of such
have never been resolved. This GLEP covers all of these issues, and
makes recommendations as to how to handle checksums both now, and in
future.

Motivation
==========
This GLEP is being written as part of the work on signing the Portage
tree, but is only tangentially related to the actual signing of
Manifests. Checksums present one possible weak point in the overall
security of the tree - and a comprehensive security plan is needed.

Specification
=============
The bad news
------------
First of all, I'd like to cover the bad news in checksum security.
A much discussed point, as been the simple question: What is the
security of multiple independent checksums on the same data?
The most common position (and indeed the one previously held by myself),
is that multiple checksums would be an increase in security, but we
could not provably quantify the amount of security this added.
The really bad news, is that this position is completely and utterly
wrong. Many of you will be aghast at this. There is extremely little
added security in multiple checksums as noted by Joux [J04]. For any set
of checksums, the actual strength lies in that of the strongest
checksum.

Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
HAVAL-128 and RIPEMD families of hashes.

How fast can MD5 be broken?
---------------------------
For a general collision, not a pre-image attack, since the announcement
by Wang et al [W04], the time required to break MD5 has been massively
reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
less than in two years, to 17 seconds [K06a].

08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours

If we accept a factor of 800x as a sample of how much faster a checksum
may be broken over the course of 2 years (MD5 using the above data is
>2000x), then existing checksums do not stand a significant chance of
survival in the future. We should thus accept that whatever checksums we
are using today, will be broken in the near future, and plan as best as
possible. (A brief review [H04] of the SHA1 attacks indicates an
improvement of ~600x in the same timespan).

And for those that claim implementation of these procedures is not yet
feasible, see [K06b] for an application that can produce two
self-extracting EXE files, with identical MD5s, and whatever payload you
want.

The good news
-------------
Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
one stands close to being completely broken: SHA1; and another is
significantly weakened: RIPEMD160. The SHA2 series has suffered some
attacks, but still remains reasonably solid [G07],[K08]. 

To reduce the potential for future problems and any single checksum
break leading to a rapid decrease in security, we should incorporate the
strongest hash available from each family of checksums, and be prepared
to retire old checksums actively, unless there is a overriding reason to
keep a specific checksum, such as part of a migration plan.

What should be done
-------------------
Portage should always try to verify all supported hashes that are
available in a Manifest2, starting with the strongest ones as maintained
by a preference list. Over time, the weaker checksums should be removed
from Manifest2 files, once all old Portage installations have had
sufficient time to upgrade. We should be prepared to add stronger
checksums wherever possible, and to remove those that have been
defeated.

As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
In future, as stream-based checksums are developed (in response to the
development by NIST [AHS]), they should be considered and used.

The SHA512 algorithm is available in Python 2.5, which has been a
dependency of Portage since approximately Python 2.1.6.13.

The WHIRLPOOL checksum is not available within the PyCrypto library or
hashlib that is part of Python 2.5, but there are multiple alternative
Python implementations available, ranging from pure Python to C-based
(python-mhash).

The existence unsupported hash is not considered to be a failure unless
no supported hashes are available for a given Manifest entry.

Checksum depreciation timing
----------------------------
For the current Portage, both SHA1 and RIPEMD160 should be immediately
removed, as they present no advantages over the already present SHA256.
SHA256 cannot be replaced immediately with SHA512, as existing Portage
versions need at least one supported algorithm present (SHA256 support
was added in June 2006), so it must be retained for some while.

Immediately:
- Add WHIRLPOOL and SHA512.
- Remove SHA1 and RIPEMD160.

After the majority of Portage installations include SHA512 support:
- Remove SHA256.

Backwards Compatibility
=======================
Old versions of Portage may support and expect only specific checksums.
This is accounted for in the checksum depreciation discussion.

References
==========

[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
  (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/

[BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
  Efficiently Combining Collision Resistant Hash Functions"; Proceedings
  of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
  4117, pp. 570-583. Available online from:
  http://crypto.stanford.edu/~dabo/abstracts/hashing.html

[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
  Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
  Report 2004/204. Available online from:
  http://eprint.iacr.org/2004/207.pdf

[J04] Joux, Antoie. (2004).  "Multicollisions in Iterated Hash 
  Functions - Application to Cascaded Constructions;" Proceedings of
  CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
  3152, pp.  306-316. Available online from:
  http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf

[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
  Within a Minute". Cryptology ePrint Archive, Report 2006/105.
  Available online from: http://eprint.iacr.org/2006/105.pdf

[K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
  proof of concept tools". Available online from:
  http://cryptography.hyperlink.cz/2006/trick.txt

[K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
  Cryptology ePrint Archive, Report 2008/003. Available online from:
  http://eprint.iacr.org/2008/003.pdf

[G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
  Cryptology ePrint Archive, Report 2007/403. Available online from:
  http://eprint.iacr.org/2007/403.pdf

[W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
  HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
  Archive, Report 2004/199, first version (August 16, 2004), second
  version (August 17, 2004). Available online from:
  http://eprint.iacr.org/2004/199.pdf

Thanks to
=========
I'd like to thank the following folks, in no specific order:
 - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
   and also being stubborn enough in not accepting a partial solution.
 - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
   (ferringb): for being knowledgeable about the Portage Manifest2
   codebase.

Copyright
=========
Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
distributed only subject to the terms and conditions set forth in the
Open Publication License, v1.0.

vim: tw=72 ts=2 expandtab:
1	cardoe	1.1	GLEP: 59
2			Title: Manifest2 hash policies and security implications
3	robbat2	1.5	Version: $Revision: 1.4 $
4			Last-Modified: $Date: 2010/01/13 03:26:53 $
5	cardoe	1.1	Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6			Status: Draft
7			Type: Standards Track
8			Content-Type: text/x-rst
9			Requires: 44
10			Created: October 2006
11	robbat2	1.4	Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12	cardoe	1.1	Updates: 44
13	robbat2	1.5	Post-History: December 2009, January 2010
14	cardoe	1.1
15			Abstract
16			========
17			While Manifest2 format allows multiple hashes, the question of which
18			checksums should be present, why, and the security implications of such
19			have never been resolved. This GLEP covers all of these issues, and
20			makes recommendations as to how to handle checksums both now, and in
21			future.
22
23			Motivation
24			==========
25			This GLEP is being written as part of the work on signing the Portage
26			tree, but is only tangentially related to the actual signing of
27			Manifests. Checksums present one possible weak point in the overall
28			security of the tree - and a comprehensive security plan is needed.
29
30			Specification
31			=============
32			The bad news
33			------------
34			First of all, I'd like to cover the bad news in checksum security.
35			A much discussed point, as been the simple question: What is the
36			security of multiple independent checksums on the same data?
37			The most common position (and indeed the one previously held by myself),
38			is that multiple checksums would be an increase in security, but we
39			could not provably quantify the amount of security this added.
40			The really bad news, is that this position is completely and utterly
41			wrong. Many of you will be aghast at this. There is extremely little
42	robbat2	1.5	added security in multiple checksums as noted by Joux [J04]. For any set
43			of checksums, the actual strength lies in that of the strongest
44			checksum.
45
46			Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
47			HAVAL-128 and RIPEMD families of hashes.
48	cardoe	1.1
49			How fast can MD5 be broken?
50			---------------------------
51	robbat2	1.5	For a general collision, not a pre-image attack, since the announcement
52			by Wang et al [W04], the time required to break MD5 has been massively
53			reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
54			estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
55			less than in two years, to 17 seconds [K06a].
56	cardoe	1.1
57			08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
58			03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
59			11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
60			03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
61			04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
62
63			If we accept a factor of 800x as a sample of how much faster a checksum
64			may be broken over the course of 2 years (MD5 using the above data is
65			>2000x), then existing checksums do not stand a significant chance of
66			survival in the future. We should thus accept that whatever checksums we
67			are using today, will be broken in the near future, and plan as best as
68	robbat2	1.5	possible. (A brief review [H04] of the SHA1 attacks indicates an
69	cardoe	1.1	improvement of ~600x in the same timespan).
70
71			And for those that claim implementation of these procedures is not yet
72			feasible, see [K06b] for an application that can produce two
73	robbat2	1.5	self-extracting EXE files, with identical MD5s, and whatever payload you
74			want.
75	cardoe	1.1
76			The good news
77			-------------
78	robbat2	1.5	Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
79			one stands close to being completely broken: SHA1; and another is
80			significantly weakened: RIPEMD160. The SHA2 series has suffered some
81			attacks, but still remains reasonably solid [G07],[K08].
82	cardoe	1.1
83			To reduce the potential for future problems and any single checksum
84			break leading to a rapid decrease in security, we should incorporate the
85			strongest hash available from each family of checksums, and be prepared
86			to retire old checksums actively, unless there is a overriding reason to
87	robbat2	1.5	keep a specific checksum, such as part of a migration plan.
88	cardoe	1.1
89			What should be done
90			-------------------
91			Portage should always try to verify all supported hashes that are
92			available in a Manifest2, starting with the strongest ones as maintained
93			by a preference list. Over time, the weaker checksums should be removed
94			from Manifest2 files, once all old Portage installations have had
95			sufficient time to upgrade. We should be prepared to add stronger
96			checksums wherever possible, and to remove those that have been
97			defeated.
98
99	robbat2	1.5	As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
100			In future, as stream-based checksums are developed (in response to the
101			development by NIST [AHS]), they should be considered and used.
102
103			The SHA512 algorithm is available in Python 2.5, which has been a
104			dependency of Portage since approximately Python 2.1.6.13.
105
106			The WHIRLPOOL checksum is not available within the PyCrypto library or
107			hashlib that is part of Python 2.5, but there are multiple alternative
108			Python implementations available, ranging from pure Python to C-based
109			(python-mhash).
110
111			The existence unsupported hash is not considered to be a failure unless
112			no supported hashes are available for a given Manifest entry.
113
114			Checksum depreciation timing
115			----------------------------
116			For the current Portage, both SHA1 and RIPEMD160 should be immediately
117			removed, as they present no advantages over the already present SHA256.
118			SHA256 cannot be replaced immediately with SHA512, as existing Portage
119			versions need at least one supported algorithm present (SHA256 support
120			was added in June 2006), so it must be retained for some while.
121
122			Immediately:
123			- Add WHIRLPOOL and SHA512.
124			- Remove SHA1 and RIPEMD160.
125	cardoe	1.1
126	robbat2	1.5	After the majority of Portage installations include SHA512 support:
127			- Remove SHA256.
128	cardoe	1.1
129			Backwards Compatibility
130			=======================
131			Old versions of Portage may support and expect only specific checksums.
132			This is accounted for in the checksum depreciation discussion.
133
134			References
135			==========
136
137			[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
138			(Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/
139
140			[BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
141			Efficiently Combining Collision Resistant Hash Functions"; Proceedings
142			of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
143			4117, pp. 570-583. Available online from:
144			http://crypto.stanford.edu/~dabo/abstracts/hashing.html
145
146			[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
147			Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
148			Report 2004/204. Available online from:
149			http://eprint.iacr.org/2004/207.pdf
150
151	robbat2	1.2	[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
152			Functions - Application to Cascaded Constructions;" Proceedings of
153			CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
154			3152, pp. 306-316. Available online from:
155	cardoe	1.1	http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
156
157			[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
158			Within a Minute". Cryptology ePrint Archive, Report 2006/105.
159			Available online from: http://eprint.iacr.org/2006/105.pdf
160
161			[K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
162			proof of concept tools". Available online from:
163			http://cryptography.hyperlink.cz/2006/trick.txt
164
165			[K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
166			Cryptology ePrint Archive, Report 2008/003. Available online from:
167			http://eprint.iacr.org/2008/003.pdf
168
169			[G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
170			Cryptology ePrint Archive, Report 2007/403. Available online from:
171			http://eprint.iacr.org/2007/403.pdf
172
173			[W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
174			HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
175			Archive, Report 2004/199, first version (August 16, 2004), second
176			version (August 17, 2004). Available online from:
177			http://eprint.iacr.org/2004/199.pdf
178
179			Thanks to
180			=========
181			I'd like to thank the following folks, in no specific order:
182			- Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
183			and also being stubborn enough in not accepting a partial solution.
184			- Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
185			(ferringb): for being knowledgeable about the Portage Manifest2
186			codebase.
187
188			Copyright
189			=========
190	robbat2	1.4	Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
191	cardoe	1.1	distributed only subject to the terms and conditions set forth in the
192			Open Publication License, v1.0.
193
194			vim: tw=72 ts=2 expandtab: