/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0059.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.4 Revision 1.9
1GLEP: 59 1GLEP: 59
2Title: Manifest2 hash policies and security implications 2Title: Manifest2 hash policies and security implications
3Version: $Revision: 1.4 $ 3Version: $Revision: 1.9 $
4Last-Modified: $Date: 2010/01/13 03:26:53 $ 4Last-Modified: $Date: 2010/04/07 21:34:24 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org>, 5Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6Status: Draft 6Status: Draft
7Type: Standards Track 7Type: Standards Track
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Requires: 44 9Requires: 44
10Created: October 2006 10Created: October 2006
11Updated: November 2007, June 2008, July 2008, October 2008, January 2010 11Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12Updates: 44 12Updates: 44
13Post-History: December 2009 13Post-History: December 2009, January 2010
14 14
15Abstract 15Abstract
16======== 16========
17While Manifest2 format allows multiple hashes, the question of which 17While Manifest2 format allows multiple hashes, the question of which
18checksums should be present, why, and the security implications of such 18checksums should be present, why, and the security implications of such
24========== 24==========
25This GLEP is being written as part of the work on signing the Portage 25This GLEP is being written as part of the work on signing the Portage
26tree, but is only tangentially related to the actual signing of 26tree, but is only tangentially related to the actual signing of
27Manifests. Checksums present one possible weak point in the overall 27Manifests. Checksums present one possible weak point in the overall
28security of the tree - and a comprehensive security plan is needed. 28security of the tree - and a comprehensive security plan is needed.
29
30This GLEP is not mandatory for the tree-signing specification, but
31instead aims to improve the security of the hashes used in Manifest2
32[GLEP44]. As such, it is also able to stand on it's own.
29 33
30Specification 34Specification
31============= 35=============
32The bad news 36The bad news
33------------ 37------------
37The most common position (and indeed the one previously held by myself), 41The most common position (and indeed the one previously held by myself),
38is that multiple checksums would be an increase in security, but we 42is that multiple checksums would be an increase in security, but we
39could not provably quantify the amount of security this added. 43could not provably quantify the amount of security this added.
40The really bad news, is that this position is completely and utterly 44The really bad news, is that this position is completely and utterly
41wrong. Many of you will be aghast at this. There is extremely little 45wrong. Many of you will be aghast at this. There is extremely little
42added security in multiple checksums [J04]. For any set of checksums, 46added security in multiple checksums as noted by Joux [J04]. For any set
43the actual strength lies in that of the strongest checksum. 47of checksums, the actual strength lies in that of the strongest
48checksum.
49
50Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
51HAVAL-128 and RIPEMD families of hashes.
44 52
45How fast can MD5 be broken? 53How fast can MD5 be broken?
46--------------------------- 54---------------------------
47For a general collision, not a pre-image attack, since the original 55For a general collision, not a pre-image attack, since the announcement
48announcement by Wang et al [W04], the time required to break MD5 has 56by Wang et al [W04], the time required to break MD5 has been massively
49been massively reduced. Originally at 1 hour on a near-supercomputer 57reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
50(IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has 58estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
51gone down to less than in two years, to 17 seconds [K06a]! 59less than in two years, to 17 seconds [K06a].
52 60
5308/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours 61- 08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
62
5403/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours 63- 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
64
5511/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours 65- 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
66
5603/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours 67- 03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
68
5704/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours 69- 04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
58 70
59If we accept a factor of 800x as a sample of how much faster a checksum 71If we accept a factor of 800x as a sample of how much faster a checksum
60may be broken over the course of 2 years (MD5 using the above data is 72may be broken over the course of 2 years (MD5 using the above data is
61>2000x), then existing checksums do not stand a significant chance of 73>2000x), then existing checksums do not stand a significant chance of
62survival in the future. We should thus accept that whatever checksums we 74survival in the future. We should thus accept that whatever checksums we
63are using today, will be broken in the near future, and plan as best as 75are using today, will be broken in the near future, and plan as best as
64possible. (A brief review [H04] of the present SHA1 attacks indicates an 76possible. (A brief review [H04] of the SHA1 attacks indicates an
65improvement of ~600x in the same timespan). 77improvement of ~600x in the same timespan).
66 78
67And for those that claim implementation of these procedures is not yet 79And for those that claim implementation of these procedures is not yet
68feasible, see [K06b] for an application that can produce two 80feasible, see [K06b] for an application that can produce two
69self-extracting .exe files, with identical MD5s, and whatever payload 81self-extracting EXE files, with identical MD5s, and whatever payload you
70you want. 82want.
71 83
72The good news 84The good news
73------------- 85-------------
74Of the checksums presently used by Manifest2, one stands close to being 86Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
75completely broken: SHA1. The SHA2 series has suffered some attacks, but 87one stands close to being completely broken: SHA1; and another is
76still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160 88significantly weakened: RIPEMD160. The SHA2 series has suffered some
77have been published, however it is constructed in the same manner as 89attacks, but still remains reasonably solid [G07],[K08].
78MD5, SHA1 and SHA2, so is also vulnerable to the new methods of
79cryptanalysis [H04].
80 90
81To reduce the potential for future problems and any single checksum 91To reduce the potential for future problems and any single checksum
82break leading to a rapid decrease in security, we should incorporate the 92break leading to a rapid decrease in security, we should incorporate the
83strongest hash available from each family of checksums, and be prepared 93strongest hash available from each family of checksums, and be prepared
84to retire old checksums actively, unless there is a overriding reason to 94to retire old checksums actively, unless there is a overriding reason to
85keep a specific checksum. 95keep a specific checksum, such as part of a migration plan.
86 96
87What should be done 97What should be done
88------------------- 98-------------------
89Portage should always try to verify all supported hashes that are 99Portage should always try to verify all supported hashes that are
90available in a Manifest2, starting with the strongest ones as maintained 100available in a Manifest2, starting with the strongest ones as maintained
91by a preference list. Over time, the weaker checksums should be removed 101by a preference list. Over time, the weaker checksums should be removed
92from Manifest2 files, once all old Portage installations have had 102from Manifest2 files, once all old Portage installations have had
93sufficient time to upgrade. We should be prepared to add stronger 103sufficient time to upgrade. Stronger checksums shall be added as soon as
94checksums wherever possible, and to remove those that have been 104an implementation is available in Portage. Weak checksums may be removed
95defeated. 105as long as the depreciation process is followed (see below).
96 106
107As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
108In future, as stream-based checksums are developed (in response to the
109development by NIST [AHS]), they should be considered and used.
110
111The SHA512 algorithm is available in Python 2.5, which has been a
112dependency of Portage since approximately Portage 2.1.6.13.
113
114The WHIRLPOOL checksum is not available within the PyCrypto library or
115hashlib that is part of Python 2.5, but there are multiple alternative
116Python implementations available, ranging from pure Python to C-based
117(python-mhash).
118
97An unsupported hash is not considered to be a failure unless no 119The existence unsupported hash is not considered to be a failure unless
98supported hashes are available. 120no supported hashes are available for a given Manifest entry.
99 121
100Checksum depreciation 122Checksum depreciation timing
123----------------------------
124General principles:
101~~~~~~~~~~~~~~~~~~~~~ 125~~~~~~~~~~~~~~~~~~~
102For the current Portage, SHA1 should be gradually removed, as presents 126A minimum set of depreciated checksums shall be maintained only to
103no advantages over SHA256. Beyond one specific problem (see the next 127support old package manager versions where needed by historically used
104paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool 128trees:
105checksum (standardized checksum, with no known weaknesses). In future,
106as stream-based checksums are developed (in response to the development
107by NIST [AHS]), they should be considered and used.
108 129
109There is one temporary stumbling block at hand - the existing Portage 130- New package manager versions should NOT use depreciated checksums in
110infrastructure does not support SHA384/512 or Whirlpool, thus hampering 131
111their immediate acceptance. SHA512 is available in Python 2.5, while 132- New trees with that have never used the depreciated checksums may omit
112SHA1 is already available in Python 2.4. After Python2.5 is established 133 them for reasons of size, but are still strongly suggested to include
113in a Gentoo media release, that would be a suitable time to remove SHA1 134 them.
114from Manifest2 files. 135
136- Removal of depreciated checksums shall happen after no less than 18
137 months or one major Portage version cycle, whichever is greater.
138
139Immediate plans:
140~~~~~~~~~~~~~~~~
141For the current Portage, both SHA1 and RIPEMD160 should be immediately
142removed, as they present no advantages over the already present SHA256.
143SHA256 cannot be replaced immediately with SHA512, as existing Portage
144versions need at least one supported algorithm present (SHA256 support
145was added in June 2006), so it must be retained for some while.
146
147Immediately:
148
149- Add WHIRLPOOL and SHA512.
150
151- Remove SHA1 and RIPEMD160.
152
153After the majority of Portage installations include SHA512 support:
154
155- Remove SHA256.
115 156
116Backwards Compatibility 157Backwards Compatibility
117======================= 158=======================
118Old versions of Portage may support and expect only specific checksums. 159Old versions of Portage may support and expect only specific checksums.
119This is accounted for in the checksum depreciation discussion. 160This is accounted for in the checksum depreciation discussion.
161
162For maximum compatiability, we should only have to include each of the
163old algorithms that we are officially still supporting, as well as the
164new ones that we prefer.
120 165
121References 166References
122========== 167==========
123 168
124[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions", 169[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
170 and also being stubborn enough in not accepting a partial solution. 215 and also being stubborn enough in not accepting a partial solution.
171 - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring 216 - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
172 (ferringb): for being knowledgeable about the Portage Manifest2 217 (ferringb): for being knowledgeable about the Portage Manifest2
173 codebase. 218 codebase.
174 219
220References
221==========
222.. [GLEP44] Mauch, M. (2005) GLEP44 - Manifest2 format.
223 http://www.gentoo.org/proj/en/glep/glep-0044.html
224
175Copyright 225Copyright
176========= 226=========
177Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be 227Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
178distributed only subject to the terms and conditions set forth in the 228distributed only subject to the terms and conditions set forth in the
179Open Publication License, v1.0. 229Open Publication License, v1.0.
180 230
181vim: tw=72 ts=2 expandtab: 231.. vim: tw=72 ts=2 expandtab:
Legend:
Removed from v.1.4  
changed lines
  Added in v.1.9
  ViewVC Help
Powered by ViewVC 1.1.13