/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.txt
Gentoo

Contents of /xml/htdocs/proj/en/glep/glep-0059.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.6 - (show annotations) (download)
Sun Jan 31 09:55:43 2010 UTC (4 years, 8 months ago) by robbat2
Branch: MAIN
Changes since 1.5: +6 -2 lines
File MIME type: text/plain
Note that GLEP59-61 are independantly useful, even without GLEP58.

1 GLEP: 59
2 Title: Manifest2 hash policies and security implications
3 Version: $Revision: 1.5 $
4 Last-Modified: $Date: 2010/01/31 07:55:45 $
5 Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6 Status: Draft
7 Type: Standards Track
8 Content-Type: text/x-rst
9 Requires: 44
10 Created: October 2006
11 Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12 Updates: 44
13 Post-History: December 2009, January 2010
14
15 Abstract
16 ========
17 While Manifest2 format allows multiple hashes, the question of which
18 checksums should be present, why, and the security implications of such
19 have never been resolved. This GLEP covers all of these issues, and
20 makes recommendations as to how to handle checksums both now, and in
21 future.
22
23 Motivation
24 ==========
25 This GLEP is being written as part of the work on signing the Portage
26 tree, but is only tangentially related to the actual signing of
27 Manifests. Checksums present one possible weak point in the overall
28 security of the tree - and a comprehensive security plan is needed.
29
30 This GLEP is not mandatory for the tree-signing specification, but
31 instead aims to improve the security of the hashes used in Manifest2.
32 As such, it is also able to stand on it's own.
33
34 Specification
35 =============
36 The bad news
37 ------------
38 First of all, I'd like to cover the bad news in checksum security.
39 A much discussed point, as been the simple question: What is the
40 security of multiple independent checksums on the same data?
41 The most common position (and indeed the one previously held by myself),
42 is that multiple checksums would be an increase in security, but we
43 could not provably quantify the amount of security this added.
44 The really bad news, is that this position is completely and utterly
45 wrong. Many of you will be aghast at this. There is extremely little
46 added security in multiple checksums as noted by Joux [J04]. For any set
47 of checksums, the actual strength lies in that of the strongest
48 checksum.
49
50 Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
51 HAVAL-128 and RIPEMD families of hashes.
52
53 How fast can MD5 be broken?
54 ---------------------------
55 For a general collision, not a pre-image attack, since the announcement
56 by Wang et al [W04], the time required to break MD5 has been massively
57 reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
58 estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
59 less than in two years, to 17 seconds [K06a].
60
61 08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
62 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
63 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
64 03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
65 04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
66
67 If we accept a factor of 800x as a sample of how much faster a checksum
68 may be broken over the course of 2 years (MD5 using the above data is
69 >2000x), then existing checksums do not stand a significant chance of
70 survival in the future. We should thus accept that whatever checksums we
71 are using today, will be broken in the near future, and plan as best as
72 possible. (A brief review [H04] of the SHA1 attacks indicates an
73 improvement of ~600x in the same timespan).
74
75 And for those that claim implementation of these procedures is not yet
76 feasible, see [K06b] for an application that can produce two
77 self-extracting EXE files, with identical MD5s, and whatever payload you
78 want.
79
80 The good news
81 -------------
82 Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
83 one stands close to being completely broken: SHA1; and another is
84 significantly weakened: RIPEMD160. The SHA2 series has suffered some
85 attacks, but still remains reasonably solid [G07],[K08].
86
87 To reduce the potential for future problems and any single checksum
88 break leading to a rapid decrease in security, we should incorporate the
89 strongest hash available from each family of checksums, and be prepared
90 to retire old checksums actively, unless there is a overriding reason to
91 keep a specific checksum, such as part of a migration plan.
92
93 What should be done
94 -------------------
95 Portage should always try to verify all supported hashes that are
96 available in a Manifest2, starting with the strongest ones as maintained
97 by a preference list. Over time, the weaker checksums should be removed
98 from Manifest2 files, once all old Portage installations have had
99 sufficient time to upgrade. We should be prepared to add stronger
100 checksums wherever possible, and to remove those that have been
101 defeated.
102
103 As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
104 In future, as stream-based checksums are developed (in response to the
105 development by NIST [AHS]), they should be considered and used.
106
107 The SHA512 algorithm is available in Python 2.5, which has been a
108 dependency of Portage since approximately Python 2.1.6.13.
109
110 The WHIRLPOOL checksum is not available within the PyCrypto library or
111 hashlib that is part of Python 2.5, but there are multiple alternative
112 Python implementations available, ranging from pure Python to C-based
113 (python-mhash).
114
115 The existence unsupported hash is not considered to be a failure unless
116 no supported hashes are available for a given Manifest entry.
117
118 Checksum depreciation timing
119 ----------------------------
120 For the current Portage, both SHA1 and RIPEMD160 should be immediately
121 removed, as they present no advantages over the already present SHA256.
122 SHA256 cannot be replaced immediately with SHA512, as existing Portage
123 versions need at least one supported algorithm present (SHA256 support
124 was added in June 2006), so it must be retained for some while.
125
126 Immediately:
127 - Add WHIRLPOOL and SHA512.
128 - Remove SHA1 and RIPEMD160.
129
130 After the majority of Portage installations include SHA512 support:
131 - Remove SHA256.
132
133 Backwards Compatibility
134 =======================
135 Old versions of Portage may support and expect only specific checksums.
136 This is accounted for in the checksum depreciation discussion.
137
138 References
139 ==========
140
141 [AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
142 (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/
143
144 [BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
145 Efficiently Combining Collision Resistant Hash Functions"; Proceedings
146 of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
147 4117, pp. 570-583. Available online from:
148 http://crypto.stanford.edu/~dabo/abstracts/hashing.html
149
150 [H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
151 Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
152 Report 2004/204. Available online from:
153 http://eprint.iacr.org/2004/207.pdf
154
155 [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
156 Functions - Application to Cascaded Constructions;" Proceedings of
157 CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
158 3152, pp. 306-316. Available online from:
159 http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
160
161 [K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
162 Within a Minute". Cryptology ePrint Archive, Report 2006/105.
163 Available online from: http://eprint.iacr.org/2006/105.pdf
164
165 [K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
166 proof of concept tools". Available online from:
167 http://cryptography.hyperlink.cz/2006/trick.txt
168
169 [K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
170 Cryptology ePrint Archive, Report 2008/003. Available online from:
171 http://eprint.iacr.org/2008/003.pdf
172
173 [G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
174 Cryptology ePrint Archive, Report 2007/403. Available online from:
175 http://eprint.iacr.org/2007/403.pdf
176
177 [W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
178 HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
179 Archive, Report 2004/199, first version (August 16, 2004), second
180 version (August 17, 2004). Available online from:
181 http://eprint.iacr.org/2004/199.pdf
182
183 Thanks to
184 =========
185 I'd like to thank the following folks, in no specific order:
186 - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
187 and also being stubborn enough in not accepting a partial solution.
188 - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
189 (ferringb): for being knowledgeable about the Portage Manifest2
190 codebase.
191
192 Copyright
193 =========
194 Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
195 distributed only subject to the terms and conditions set forth in the
196 Open Publication License, v1.0.
197
198 vim: tw=72 ts=2 expandtab:

  ViewVC Help
Powered by ViewVC 1.1.20