/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.txt
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0059.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.7
1GLEP: 59 1GLEP: 59
2Title: Manifest2 hash policies and security implications 2Title: Manifest2 hash policies and security implications
3Version: $Revision: 1.1 $ 3Version: $Revision: 1.7 $
4Last-Modified: $Date: 2008/10/21 23:30:47 $ 4Last-Modified: $Date: 2010/02/02 05:49:27 $
5Author: Robin Hugh Johnson <robbat2@gentoo.org>, 5Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6Status: Draft 6Status: Draft
7Type: Standards Track 7Type: Standards Track
8Content-Type: text/x-rst 8Content-Type: text/x-rst
9Requires: 44 9Requires: 44
10Created: October 2006 10Created: October 2006
11Updated: November 2007, June 2008, July 2008 11Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12Updates: 44 12Updates: 44
13Post-History: December 2009, January 2010
13 14
14Abstract 15Abstract
15======== 16========
16While Manifest2 format allows multiple hashes, the question of which 17While Manifest2 format allows multiple hashes, the question of which
17checksums should be present, why, and the security implications of such 18checksums should be present, why, and the security implications of such
23========== 24==========
24This GLEP is being written as part of the work on signing the Portage 25This GLEP is being written as part of the work on signing the Portage
25tree, but is only tangentially related to the actual signing of 26tree, but is only tangentially related to the actual signing of
26Manifests. Checksums present one possible weak point in the overall 27Manifests. Checksums present one possible weak point in the overall
27security of the tree - and a comprehensive security plan is needed. 28security of the tree - and a comprehensive security plan is needed.
29
30This GLEP is not mandatory for the tree-signing specification, but
31instead aims to improve the security of the hashes used in Manifest2.
32As such, it is also able to stand on it's own.
28 33
29Specification 34Specification
30============= 35=============
31The bad news 36The bad news
32------------ 37------------
36The most common position (and indeed the one previously held by myself), 41The most common position (and indeed the one previously held by myself),
37is that multiple checksums would be an increase in security, but we 42is that multiple checksums would be an increase in security, but we
38could not provably quantify the amount of security this added. 43could not provably quantify the amount of security this added.
39The really bad news, is that this position is completely and utterly 44The really bad news, is that this position is completely and utterly
40wrong. Many of you will be aghast at this. There is extremely little 45wrong. Many of you will be aghast at this. There is extremely little
41added security in multiple checksums [J04]. For any set of checksums, 46added security in multiple checksums as noted by Joux [J04]. For any set
42the actual strength lies in that of the strongest checksum. 47of checksums, the actual strength lies in that of the strongest
48checksum.
49
50Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
51HAVAL-128 and RIPEMD families of hashes.
43 52
44How fast can MD5 be broken? 53How fast can MD5 be broken?
45--------------------------- 54---------------------------
46For a general collision, not a pre-image attack, since the original 55For a general collision, not a pre-image attack, since the announcement
47announcement by Wang et al [W04], the time required to break MD5 has 56by Wang et al [W04], the time required to break MD5 has been massively
48been massively reduced. Originally at 1 hour on a near-supercomputer 57reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
49(IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has 58estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
50gone down to less than in two years, to 17 seconds [K06a]! 59less than in two years, to 17 seconds [K06a].
51 60
5208/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours 6108/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
5303/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours 6203/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
5411/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours 6311/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
5503/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours 6403/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
58If we accept a factor of 800x as a sample of how much faster a checksum 67If we accept a factor of 800x as a sample of how much faster a checksum
59may be broken over the course of 2 years (MD5 using the above data is 68may be broken over the course of 2 years (MD5 using the above data is
60>2000x), then existing checksums do not stand a significant chance of 69>2000x), then existing checksums do not stand a significant chance of
61survival in the future. We should thus accept that whatever checksums we 70survival in the future. We should thus accept that whatever checksums we
62are using today, will be broken in the near future, and plan as best as 71are using today, will be broken in the near future, and plan as best as
63possible. (A brief review [H04] of the present SHA1 attacks indicates an 72possible. (A brief review [H04] of the SHA1 attacks indicates an
64improvement of ~600x in the same timespan). 73improvement of ~600x in the same timespan).
65 74
66And for those that claim implementation of these procedures is not yet 75And for those that claim implementation of these procedures is not yet
67feasible, see [K06b] for an application that can produce two 76feasible, see [K06b] for an application that can produce two
68self-extracting .exe files, with identical MD5s, and whatever payload 77self-extracting EXE files, with identical MD5s, and whatever payload you
69you want. 78want.
70 79
71The good news 80The good news
72------------- 81-------------
73Of the checksums presently used by Manifest2, one stands close to being 82Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
74completely broken: SHA1. The SHA2 series has suffered some attacks, but 83one stands close to being completely broken: SHA1; and another is
75still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160 84significantly weakened: RIPEMD160. The SHA2 series has suffered some
76have been published, however it is constructed in the same manner as 85attacks, but still remains reasonably solid [G07],[K08].
77MD5, SHA1 and SHA2, so is also vulnerable to the new methods of
78cryptanalysis [H04].
79 86
80To reduce the potential for future problems and any single checksum 87To reduce the potential for future problems and any single checksum
81break leading to a rapid decrease in security, we should incorporate the 88break leading to a rapid decrease in security, we should incorporate the
82strongest hash available from each family of checksums, and be prepared 89strongest hash available from each family of checksums, and be prepared
83to retire old checksums actively, unless there is a overriding reason to 90to retire old checksums actively, unless there is a overriding reason to
84keep a specific checksum. 91keep a specific checksum, such as part of a migration plan.
85 92
86What should be done 93What should be done
87------------------- 94-------------------
88Portage should always try to verify all supported hashes that are 95Portage should always try to verify all supported hashes that are
89available in a Manifest2, starting with the strongest ones as maintained 96available in a Manifest2, starting with the strongest ones as maintained
91from Manifest2 files, once all old Portage installations have had 98from Manifest2 files, once all old Portage installations have had
92sufficient time to upgrade. We should be prepared to add stronger 99sufficient time to upgrade. We should be prepared to add stronger
93checksums wherever possible, and to remove those that have been 100checksums wherever possible, and to remove those that have been
94defeated. 101defeated.
95 102
96An unsupported hash is not considered to be a failure unless no 103As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
97supported hashes are available.
98
99Checksum depreciation
100~~~~~~~~~~~~~~~~~~~~~
101For the current Portage, SHA1 should be gradually removed, as presents
102no advantages over SHA256. Beyond one specific problem (see the next
103paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool
104checksum (standardized checksum, with no known weaknesses). In future,
105as stream-based checksums are developed (in response to the development 104In future, as stream-based checksums are developed (in response to the
106by NIST [AHS]), they should be considered and used. 105development by NIST [AHS]), they should be considered and used.
107 106
108There is one temporary stumbling block at hand - the existing Portage 107The SHA512 algorithm is available in Python 2.5, which has been a
109infrastructure does not support SHA384/512 or Whirlpool, thus hampering 108dependency of Portage since approximately Portage 2.1.6.13.
110their immediate acceptance. SHA512 is available in Python 2.5, while 109
111SHA1 is already available in Python 2.4. After Python2.5 is established 110The WHIRLPOOL checksum is not available within the PyCrypto library or
112in a Gentoo media release, that would be a suitable time to remove SHA1 111hashlib that is part of Python 2.5, but there are multiple alternative
113from Manifest2 files. 112Python implementations available, ranging from pure Python to C-based
113(python-mhash).
114
115The existence unsupported hash is not considered to be a failure unless
116no supported hashes are available for a given Manifest entry.
117
118Checksum depreciation timing
119----------------------------
120For the current Portage, both SHA1 and RIPEMD160 should be immediately
121removed, as they present no advantages over the already present SHA256.
122SHA256 cannot be replaced immediately with SHA512, as existing Portage
123versions need at least one supported algorithm present (SHA256 support
124was added in June 2006), so it must be retained for some while.
125
126Immediately:
127- Add WHIRLPOOL and SHA512.
128- Remove SHA1 and RIPEMD160.
129
130After the majority of Portage installations include SHA512 support:
131- Remove SHA256.
114 132
115Backwards Compatibility 133Backwards Compatibility
116======================= 134=======================
117Old versions of Portage may support and expect only specific checksums. 135Old versions of Portage may support and expect only specific checksums.
118This is accounted for in the checksum depreciation discussion. 136This is accounted for in the checksum depreciation discussion.
137
138For maximum compatiability, we should only have to include each of the
139old algorithms that we are officially still supporting, as well as the
140new ones that we prefer.
119 141
120References 142References
121========== 143==========
122 144
123[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions", 145[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
132[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective 154[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
133 Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive, 155 Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
134 Report 2004/204. Available online from: 156 Report 2004/204. Available online from:
135 http://eprint.iacr.org/2004/207.pdf 157 http://eprint.iacr.org/2004/207.pdf
136 158
137[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash Functions 159[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
138 - Application to Cascaded Constructions;" Proceedings of CRYPTO 2004, 160 Functions - Application to Cascaded Constructions;" Proceedings of
139 Franklin, M. (Ed); Lecture Notes in Computer Science 3152, pp. 161 CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
140 306-316. Available online from: 162 3152, pp. 306-316. Available online from:
141 http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf 163 http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
142 164
143[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions 165[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
144 Within a Minute". Cryptology ePrint Archive, Report 2006/105. 166 Within a Minute". Cryptology ePrint Archive, Report 2006/105.
145 Available online from: http://eprint.iacr.org/2006/105.pdf 167 Available online from: http://eprint.iacr.org/2006/105.pdf
171 (ferringb): for being knowledgeable about the Portage Manifest2 193 (ferringb): for being knowledgeable about the Portage Manifest2
172 codebase. 194 codebase.
173 195
174Copyright 196Copyright
175========= 197=========
176Copyright (c) 2006 by Robin Hugh Johnson. This material may be 198Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
177distributed only subject to the terms and conditions set forth in the 199distributed only subject to the terms and conditions set forth in the
178Open Publication License, v1.0. 200Open Publication License, v1.0.
179 201
180vim: tw=72 ts=2 expandtab: 202vim: tw=72 ts=2 expandtab:

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.7

  ViewVC Help
Powered by ViewVC 1.1.20