/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.txt
Gentoo

Contents of /xml/htdocs/proj/en/glep/glep-0059.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.5 - (hide annotations) (download)
Sun Jan 31 07:55:45 2010 UTC (4 years, 10 months ago) by robbat2
Branch: MAIN
Changes since 1.4: +50 -37 lines
File MIME type: text/plain
Revise GLEP59 per Calchan questions: Python 2.5 is widely deployed now and provides SHA512. RIPEMD160 is broken. WHIRLPOOL added. Migration plan detail added.

1 cardoe 1.1 GLEP: 59
2     Title: Manifest2 hash policies and security implications
3 robbat2 1.5 Version: $Revision: 1.4 $
4     Last-Modified: $Date: 2010/01/13 03:26:53 $
5 cardoe 1.1 Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6     Status: Draft
7     Type: Standards Track
8     Content-Type: text/x-rst
9     Requires: 44
10     Created: October 2006
11 robbat2 1.4 Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12 cardoe 1.1 Updates: 44
13 robbat2 1.5 Post-History: December 2009, January 2010
14 cardoe 1.1
15     Abstract
16     ========
17     While Manifest2 format allows multiple hashes, the question of which
18     checksums should be present, why, and the security implications of such
19     have never been resolved. This GLEP covers all of these issues, and
20     makes recommendations as to how to handle checksums both now, and in
21     future.
22    
23     Motivation
24     ==========
25     This GLEP is being written as part of the work on signing the Portage
26     tree, but is only tangentially related to the actual signing of
27     Manifests. Checksums present one possible weak point in the overall
28     security of the tree - and a comprehensive security plan is needed.
29    
30     Specification
31     =============
32     The bad news
33     ------------
34     First of all, I'd like to cover the bad news in checksum security.
35     A much discussed point, as been the simple question: What is the
36     security of multiple independent checksums on the same data?
37     The most common position (and indeed the one previously held by myself),
38     is that multiple checksums would be an increase in security, but we
39     could not provably quantify the amount of security this added.
40     The really bad news, is that this position is completely and utterly
41     wrong. Many of you will be aghast at this. There is extremely little
42 robbat2 1.5 added security in multiple checksums as noted by Joux [J04]. For any set
43     of checksums, the actual strength lies in that of the strongest
44     checksum.
45    
46     Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
47     HAVAL-128 and RIPEMD families of hashes.
48 cardoe 1.1
49     How fast can MD5 be broken?
50     ---------------------------
51 robbat2 1.5 For a general collision, not a pre-image attack, since the announcement
52     by Wang et al [W04], the time required to break MD5 has been massively
53     reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
54     estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
55     less than in two years, to 17 seconds [K06a].
56 cardoe 1.1
57     08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
58     03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
59     11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
60     03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
61     04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
62    
63     If we accept a factor of 800x as a sample of how much faster a checksum
64     may be broken over the course of 2 years (MD5 using the above data is
65     >2000x), then existing checksums do not stand a significant chance of
66     survival in the future. We should thus accept that whatever checksums we
67     are using today, will be broken in the near future, and plan as best as
68 robbat2 1.5 possible. (A brief review [H04] of the SHA1 attacks indicates an
69 cardoe 1.1 improvement of ~600x in the same timespan).
70    
71     And for those that claim implementation of these procedures is not yet
72     feasible, see [K06b] for an application that can produce two
73 robbat2 1.5 self-extracting EXE files, with identical MD5s, and whatever payload you
74     want.
75 cardoe 1.1
76     The good news
77     -------------
78 robbat2 1.5 Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
79     one stands close to being completely broken: SHA1; and another is
80     significantly weakened: RIPEMD160. The SHA2 series has suffered some
81     attacks, but still remains reasonably solid [G07],[K08].
82 cardoe 1.1
83     To reduce the potential for future problems and any single checksum
84     break leading to a rapid decrease in security, we should incorporate the
85     strongest hash available from each family of checksums, and be prepared
86     to retire old checksums actively, unless there is a overriding reason to
87 robbat2 1.5 keep a specific checksum, such as part of a migration plan.
88 cardoe 1.1
89     What should be done
90     -------------------
91     Portage should always try to verify all supported hashes that are
92     available in a Manifest2, starting with the strongest ones as maintained
93     by a preference list. Over time, the weaker checksums should be removed
94     from Manifest2 files, once all old Portage installations have had
95     sufficient time to upgrade. We should be prepared to add stronger
96     checksums wherever possible, and to remove those that have been
97     defeated.
98    
99 robbat2 1.5 As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
100     In future, as stream-based checksums are developed (in response to the
101     development by NIST [AHS]), they should be considered and used.
102    
103     The SHA512 algorithm is available in Python 2.5, which has been a
104     dependency of Portage since approximately Python 2.1.6.13.
105    
106     The WHIRLPOOL checksum is not available within the PyCrypto library or
107     hashlib that is part of Python 2.5, but there are multiple alternative
108     Python implementations available, ranging from pure Python to C-based
109     (python-mhash).
110    
111     The existence unsupported hash is not considered to be a failure unless
112     no supported hashes are available for a given Manifest entry.
113    
114     Checksum depreciation timing
115     ----------------------------
116     For the current Portage, both SHA1 and RIPEMD160 should be immediately
117     removed, as they present no advantages over the already present SHA256.
118     SHA256 cannot be replaced immediately with SHA512, as existing Portage
119     versions need at least one supported algorithm present (SHA256 support
120     was added in June 2006), so it must be retained for some while.
121    
122     Immediately:
123     - Add WHIRLPOOL and SHA512.
124     - Remove SHA1 and RIPEMD160.
125 cardoe 1.1
126 robbat2 1.5 After the majority of Portage installations include SHA512 support:
127     - Remove SHA256.
128 cardoe 1.1
129     Backwards Compatibility
130     =======================
131     Old versions of Portage may support and expect only specific checksums.
132     This is accounted for in the checksum depreciation discussion.
133    
134     References
135     ==========
136    
137     [AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
138     (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/
139    
140     [BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
141     Efficiently Combining Collision Resistant Hash Functions"; Proceedings
142     of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
143     4117, pp. 570-583. Available online from:
144     http://crypto.stanford.edu/~dabo/abstracts/hashing.html
145    
146     [H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
147     Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
148     Report 2004/204. Available online from:
149     http://eprint.iacr.org/2004/207.pdf
150    
151 robbat2 1.2 [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
152     Functions - Application to Cascaded Constructions;" Proceedings of
153     CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
154     3152, pp. 306-316. Available online from:
155 cardoe 1.1 http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
156    
157     [K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
158     Within a Minute". Cryptology ePrint Archive, Report 2006/105.
159     Available online from: http://eprint.iacr.org/2006/105.pdf
160    
161     [K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
162     proof of concept tools". Available online from:
163     http://cryptography.hyperlink.cz/2006/trick.txt
164    
165     [K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
166     Cryptology ePrint Archive, Report 2008/003. Available online from:
167     http://eprint.iacr.org/2008/003.pdf
168    
169     [G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
170     Cryptology ePrint Archive, Report 2007/403. Available online from:
171     http://eprint.iacr.org/2007/403.pdf
172    
173     [W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
174     HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
175     Archive, Report 2004/199, first version (August 16, 2004), second
176     version (August 17, 2004). Available online from:
177     http://eprint.iacr.org/2004/199.pdf
178    
179     Thanks to
180     =========
181     I'd like to thank the following folks, in no specific order:
182     - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
183     and also being stubborn enough in not accepting a partial solution.
184     - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
185     (ferringb): for being knowledgeable about the Portage Manifest2
186     codebase.
187    
188     Copyright
189     =========
190 robbat2 1.4 Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
191 cardoe 1.1 distributed only subject to the terms and conditions set forth in the
192     Open Publication License, v1.0.
193    
194     vim: tw=72 ts=2 expandtab:

  ViewVC Help
Powered by ViewVC 1.1.20