/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.txt
Gentoo

Contents of /xml/htdocs/proj/en/glep/glep-0059.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.8 - (hide annotations) (download)
Sun Feb 7 10:39:52 2010 UTC (4 years, 2 months ago) by robbat2
Branch: MAIN
Changes since 1.7: +34 -10 lines
File MIME type: text/plain
Fix items per mail <robbat2-20100204T024714-596935539Z@orbis-terrarum.net>.

1 cardoe 1.1 GLEP: 59
2     Title: Manifest2 hash policies and security implications
3 robbat2 1.8 Version: $Revision: 1.7 $
4     Last-Modified: $Date: 2010/02/02 05:49:27 $
5 cardoe 1.1 Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6     Status: Draft
7     Type: Standards Track
8     Content-Type: text/x-rst
9     Requires: 44
10     Created: October 2006
11 robbat2 1.4 Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12 cardoe 1.1 Updates: 44
13 robbat2 1.5 Post-History: December 2009, January 2010
14 cardoe 1.1
15     Abstract
16     ========
17     While Manifest2 format allows multiple hashes, the question of which
18     checksums should be present, why, and the security implications of such
19     have never been resolved. This GLEP covers all of these issues, and
20     makes recommendations as to how to handle checksums both now, and in
21     future.
22    
23     Motivation
24     ==========
25     This GLEP is being written as part of the work on signing the Portage
26     tree, but is only tangentially related to the actual signing of
27     Manifests. Checksums present one possible weak point in the overall
28     security of the tree - and a comprehensive security plan is needed.
29    
30 robbat2 1.6 This GLEP is not mandatory for the tree-signing specification, but
31     instead aims to improve the security of the hashes used in Manifest2.
32     As such, it is also able to stand on it's own.
33    
34 cardoe 1.1 Specification
35     =============
36     The bad news
37     ------------
38     First of all, I'd like to cover the bad news in checksum security.
39     A much discussed point, as been the simple question: What is the
40     security of multiple independent checksums on the same data?
41     The most common position (and indeed the one previously held by myself),
42     is that multiple checksums would be an increase in security, but we
43     could not provably quantify the amount of security this added.
44     The really bad news, is that this position is completely and utterly
45     wrong. Many of you will be aghast at this. There is extremely little
46 robbat2 1.5 added security in multiple checksums as noted by Joux [J04]. For any set
47     of checksums, the actual strength lies in that of the strongest
48     checksum.
49    
50     Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
51     HAVAL-128 and RIPEMD families of hashes.
52 cardoe 1.1
53     How fast can MD5 be broken?
54     ---------------------------
55 robbat2 1.5 For a general collision, not a pre-image attack, since the announcement
56     by Wang et al [W04], the time required to break MD5 has been massively
57     reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
58     estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
59     less than in two years, to 17 seconds [K06a].
60 cardoe 1.1
61 robbat2 1.8 - 08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
62    
63     - 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
64    
65     - 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
66    
67     - 03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
68    
69     - 04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
70 cardoe 1.1
71     If we accept a factor of 800x as a sample of how much faster a checksum
72     may be broken over the course of 2 years (MD5 using the above data is
73     >2000x), then existing checksums do not stand a significant chance of
74     survival in the future. We should thus accept that whatever checksums we
75     are using today, will be broken in the near future, and plan as best as
76 robbat2 1.5 possible. (A brief review [H04] of the SHA1 attacks indicates an
77 cardoe 1.1 improvement of ~600x in the same timespan).
78    
79     And for those that claim implementation of these procedures is not yet
80     feasible, see [K06b] for an application that can produce two
81 robbat2 1.5 self-extracting EXE files, with identical MD5s, and whatever payload you
82     want.
83 cardoe 1.1
84     The good news
85     -------------
86 robbat2 1.5 Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
87     one stands close to being completely broken: SHA1; and another is
88     significantly weakened: RIPEMD160. The SHA2 series has suffered some
89     attacks, but still remains reasonably solid [G07],[K08].
90 cardoe 1.1
91     To reduce the potential for future problems and any single checksum
92     break leading to a rapid decrease in security, we should incorporate the
93     strongest hash available from each family of checksums, and be prepared
94     to retire old checksums actively, unless there is a overriding reason to
95 robbat2 1.5 keep a specific checksum, such as part of a migration plan.
96 cardoe 1.1
97     What should be done
98     -------------------
99     Portage should always try to verify all supported hashes that are
100     available in a Manifest2, starting with the strongest ones as maintained
101     by a preference list. Over time, the weaker checksums should be removed
102     from Manifest2 files, once all old Portage installations have had
103 robbat2 1.8 sufficient time to upgrade. Stronger checksums shall be added as soon as
104     an implementation is available in Portage. Weak checksums may be removed
105     as long as the depreciation process is followed (see below).
106 cardoe 1.1
107 robbat2 1.5 As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
108     In future, as stream-based checksums are developed (in response to the
109     development by NIST [AHS]), they should be considered and used.
110    
111     The SHA512 algorithm is available in Python 2.5, which has been a
112 robbat2 1.7 dependency of Portage since approximately Portage 2.1.6.13.
113 robbat2 1.5
114     The WHIRLPOOL checksum is not available within the PyCrypto library or
115     hashlib that is part of Python 2.5, but there are multiple alternative
116     Python implementations available, ranging from pure Python to C-based
117     (python-mhash).
118    
119     The existence unsupported hash is not considered to be a failure unless
120     no supported hashes are available for a given Manifest entry.
121    
122     Checksum depreciation timing
123     ----------------------------
124 robbat2 1.8 General principles:
125     ~~~~~~~~~~~~~~~~~~~
126     A minimum set of depreciated checksums shall be maintained only to
127     support old package manager versions where needed by historically used
128     trees:
129    
130     - New package manager versions should NOT use depreciated checksums in
131    
132     - New trees with that have never used the depreciated checksums may omit
133     them for reasons of size, but are still strongly suggested to include
134     them.
135    
136     - Removal of depreciated checksums shall happen after no less than 18
137     months or one major Portage version cycle, whichever is greater.
138    
139     Immediate plans:
140     ~~~~~~~~~~~~~~~~
141 robbat2 1.5 For the current Portage, both SHA1 and RIPEMD160 should be immediately
142     removed, as they present no advantages over the already present SHA256.
143     SHA256 cannot be replaced immediately with SHA512, as existing Portage
144     versions need at least one supported algorithm present (SHA256 support
145     was added in June 2006), so it must be retained for some while.
146    
147     Immediately:
148 robbat2 1.8
149 robbat2 1.5 - Add WHIRLPOOL and SHA512.
150 robbat2 1.8
151 robbat2 1.5 - Remove SHA1 and RIPEMD160.
152 cardoe 1.1
153 robbat2 1.5 After the majority of Portage installations include SHA512 support:
154 robbat2 1.8
155 robbat2 1.5 - Remove SHA256.
156 cardoe 1.1
157     Backwards Compatibility
158     =======================
159     Old versions of Portage may support and expect only specific checksums.
160     This is accounted for in the checksum depreciation discussion.
161    
162 robbat2 1.7 For maximum compatiability, we should only have to include each of the
163     old algorithms that we are officially still supporting, as well as the
164     new ones that we prefer.
165    
166 cardoe 1.1 References
167     ==========
168    
169     [AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
170     (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/
171    
172     [BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
173     Efficiently Combining Collision Resistant Hash Functions"; Proceedings
174     of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
175     4117, pp. 570-583. Available online from:
176     http://crypto.stanford.edu/~dabo/abstracts/hashing.html
177    
178     [H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
179     Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
180     Report 2004/204. Available online from:
181     http://eprint.iacr.org/2004/207.pdf
182    
183 robbat2 1.2 [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
184     Functions - Application to Cascaded Constructions;" Proceedings of
185     CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
186     3152, pp. 306-316. Available online from:
187 cardoe 1.1 http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
188    
189     [K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
190     Within a Minute". Cryptology ePrint Archive, Report 2006/105.
191     Available online from: http://eprint.iacr.org/2006/105.pdf
192    
193     [K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
194     proof of concept tools". Available online from:
195     http://cryptography.hyperlink.cz/2006/trick.txt
196    
197     [K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
198     Cryptology ePrint Archive, Report 2008/003. Available online from:
199     http://eprint.iacr.org/2008/003.pdf
200    
201     [G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
202     Cryptology ePrint Archive, Report 2007/403. Available online from:
203     http://eprint.iacr.org/2007/403.pdf
204    
205     [W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
206     HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
207     Archive, Report 2004/199, first version (August 16, 2004), second
208     version (August 17, 2004). Available online from:
209     http://eprint.iacr.org/2004/199.pdf
210    
211     Thanks to
212     =========
213     I'd like to thank the following folks, in no specific order:
214     - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
215     and also being stubborn enough in not accepting a partial solution.
216     - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
217     (ferringb): for being knowledgeable about the Portage Manifest2
218     codebase.
219    
220     Copyright
221     =========
222 robbat2 1.4 Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
223 cardoe 1.1 distributed only subject to the terms and conditions set forth in the
224     Open Publication License, v1.0.
225    
226     vim: tw=72 ts=2 expandtab:

  ViewVC Help
Powered by ViewVC 1.1.20