en/glep/glep-0059.txt

GLEP: 59
Title: Manifest2 hash policies and security implications
Version: $Revision: 1.8 $
Last-Modified: $Date: 2010/02/07 10:39:52 $
Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
Status: Draft
Type: Standards Track
Content-Type: text/x-rst
Requires: 44
Created: October 2006
Updated: November 2007, June 2008, July 2008, October 2008, January 2010
Updates: 44
Post-History: December 2009, January 2010

Abstract
========
While Manifest2 format allows multiple hashes, the question of which
checksums should be present, why, and the security implications of such
have never been resolved. This GLEP covers all of these issues, and
makes recommendations as to how to handle checksums both now, and in
future.

Motivation
==========
This GLEP is being written as part of the work on signing the Portage
tree, but is only tangentially related to the actual signing of
Manifests. Checksums present one possible weak point in the overall
security of the tree - and a comprehensive security plan is needed.

This GLEP is not mandatory for the tree-signing specification, but
instead aims to improve the security of the hashes used in Manifest2
[GLEP44]. As such, it is also able to stand on it's own.

Specification
=============
The bad news
------------
First of all, I'd like to cover the bad news in checksum security.
A much discussed point, as been the simple question: What is the
security of multiple independent checksums on the same data?
The most common position (and indeed the one previously held by myself),
is that multiple checksums would be an increase in security, but we
could not provably quantify the amount of security this added.
The really bad news, is that this position is completely and utterly
wrong. Many of you will be aghast at this. There is extremely little
added security in multiple checksums as noted by Joux [J04]. For any set
of checksums, the actual strength lies in that of the strongest
checksum.

Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
HAVAL-128 and RIPEMD families of hashes.

How fast can MD5 be broken?
---------------------------
For a general collision, not a pre-image attack, since the announcement
by Wang et al [W04], the time required to break MD5 has been massively
reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
less than in two years, to 17 seconds [K06a].

- 08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours

- 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours

- 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours

- 03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours

- 04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours

If we accept a factor of 800x as a sample of how much faster a checksum
may be broken over the course of 2 years (MD5 using the above data is
>2000x), then existing checksums do not stand a significant chance of
survival in the future. We should thus accept that whatever checksums we
are using today, will be broken in the near future, and plan as best as
possible. (A brief review [H04] of the SHA1 attacks indicates an
improvement of ~600x in the same timespan).

And for those that claim implementation of these procedures is not yet
feasible, see [K06b] for an application that can produce two
self-extracting EXE files, with identical MD5s, and whatever payload you
want.

The good news
-------------
Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
one stands close to being completely broken: SHA1; and another is
significantly weakened: RIPEMD160. The SHA2 series has suffered some
attacks, but still remains reasonably solid [G07],[K08]. 

To reduce the potential for future problems and any single checksum
break leading to a rapid decrease in security, we should incorporate the
strongest hash available from each family of checksums, and be prepared
to retire old checksums actively, unless there is a overriding reason to
keep a specific checksum, such as part of a migration plan.

What should be done
-------------------
Portage should always try to verify all supported hashes that are
available in a Manifest2, starting with the strongest ones as maintained
by a preference list. Over time, the weaker checksums should be removed
from Manifest2 files, once all old Portage installations have had
sufficient time to upgrade. Stronger checksums shall be added as soon as
an implementation is available in Portage. Weak checksums may be removed
as long as the depreciation process is followed (see below).

As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
In future, as stream-based checksums are developed (in response to the
development by NIST [AHS]), they should be considered and used.

The SHA512 algorithm is available in Python 2.5, which has been a
dependency of Portage since approximately Portage 2.1.6.13.

The WHIRLPOOL checksum is not available within the PyCrypto library or
hashlib that is part of Python 2.5, but there are multiple alternative
Python implementations available, ranging from pure Python to C-based
(python-mhash).

The existence unsupported hash is not considered to be a failure unless
no supported hashes are available for a given Manifest entry.

Checksum depreciation timing
----------------------------
General principles:
~~~~~~~~~~~~~~~~~~~
A minimum set of depreciated checksums shall be maintained only to
support old package manager versions where needed by historically used
trees:

- New package manager versions should NOT use depreciated checksums in

- New trees with that have never used the depreciated checksums may omit
  them for reasons of size, but are still strongly suggested to include
  them.

- Removal of depreciated checksums shall happen after no less than 18
  months or one major Portage version cycle, whichever is greater.

Immediate plans:
~~~~~~~~~~~~~~~~
For the current Portage, both SHA1 and RIPEMD160 should be immediately
removed, as they present no advantages over the already present SHA256.
SHA256 cannot be replaced immediately with SHA512, as existing Portage
versions need at least one supported algorithm present (SHA256 support
was added in June 2006), so it must be retained for some while.

Immediately:

- Add WHIRLPOOL and SHA512.

- Remove SHA1 and RIPEMD160.

After the majority of Portage installations include SHA512 support:

- Remove SHA256.

Backwards Compatibility
=======================
Old versions of Portage may support and expect only specific checksums.
This is accounted for in the checksum depreciation discussion.

For maximum compatiability, we should only have to include each of the
old algorithms that we are officially still supporting, as well as the
new ones that we prefer.

References
==========

[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
  (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/

[BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
  Efficiently Combining Collision Resistant Hash Functions"; Proceedings
  of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
  4117, pp. 570-583. Available online from:
  http://crypto.stanford.edu/~dabo/abstracts/hashing.html

[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
  Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
  Report 2004/204. Available online from:
  http://eprint.iacr.org/2004/207.pdf

[J04] Joux, Antoie. (2004).  "Multicollisions in Iterated Hash 
  Functions - Application to Cascaded Constructions;" Proceedings of
  CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
  3152, pp.  306-316. Available online from:
  http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf

[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
  Within a Minute". Cryptology ePrint Archive, Report 2006/105.
  Available online from: http://eprint.iacr.org/2006/105.pdf

[K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
  proof of concept tools". Available online from:
  http://cryptography.hyperlink.cz/2006/trick.txt

[K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
  Cryptology ePrint Archive, Report 2008/003. Available online from:
  http://eprint.iacr.org/2008/003.pdf

[G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
  Cryptology ePrint Archive, Report 2007/403. Available online from:
  http://eprint.iacr.org/2007/403.pdf

[W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
  HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
  Archive, Report 2004/199, first version (August 16, 2004), second
  version (August 17, 2004). Available online from:
  http://eprint.iacr.org/2004/199.pdf

Thanks to
=========
I'd like to thank the following folks, in no specific order:
 - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
   and also being stubborn enough in not accepting a partial solution.
 - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
   (ferringb): for being knowledgeable about the Portage Manifest2
   codebase.

References
==========
.. [GLEP44] Mauch, M. (2005) GLEP44 - Manifest2 format.
   http://www.gentoo.org/proj/en/glep/glep-0044.html    

Copyright
=========
Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
distributed only subject to the terms and conditions set forth in the
Open Publication License, v1.0.

.. vim: tw=72 ts=2 expandtab:
1	GLEP: 59
2	Title: Manifest2 hash policies and security implications
3	Version: $Revision: 1.8 $
4	Last-Modified: $Date: 2010/02/07 10:39:52 $
5	Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6	Status: Draft
7	Type: Standards Track
8	Content-Type: text/x-rst
9	Requires: 44
10	Created: October 2006
11	Updated: November 2007, June 2008, July 2008, October 2008, January 2010
12	Updates: 44
13	Post-History: December 2009, January 2010
14
15	Abstract
16	========
17	While Manifest2 format allows multiple hashes, the question of which
18	checksums should be present, why, and the security implications of such
19	have never been resolved. This GLEP covers all of these issues, and
20	makes recommendations as to how to handle checksums both now, and in
21	future.
22
23	Motivation
24	==========
25	This GLEP is being written as part of the work on signing the Portage
26	tree, but is only tangentially related to the actual signing of
27	Manifests. Checksums present one possible weak point in the overall
28	security of the tree - and a comprehensive security plan is needed.
29
30	This GLEP is not mandatory for the tree-signing specification, but
31	instead aims to improve the security of the hashes used in Manifest2
32	[GLEP44]. As such, it is also able to stand on it's own.
33
34	Specification
35	=============
36	The bad news
37	------------
38	First of all, I'd like to cover the bad news in checksum security.
39	A much discussed point, as been the simple question: What is the
40	security of multiple independent checksums on the same data?
41	The most common position (and indeed the one previously held by myself),
42	is that multiple checksums would be an increase in security, but we
43	could not provably quantify the amount of security this added.
44	The really bad news, is that this position is completely and utterly
45	wrong. Many of you will be aghast at this. There is extremely little
46	added security in multiple checksums as noted by Joux [J04]. For any set
47	of checksums, the actual strength lies in that of the strongest
48	checksum.
49
50	Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
51	HAVAL-128 and RIPEMD families of hashes.
52
53	How fast can MD5 be broken?
54	---------------------------
55	For a general collision, not a pre-image attack, since the announcement
56	by Wang et al [W04], the time required to break MD5 has been massively
57	reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
58	estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
59	less than in two years, to 17 seconds [K06a].
60
61	- 08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
62
63	- 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
64
65	- 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
66
67	- 03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
68
69	- 04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
70
71	If we accept a factor of 800x as a sample of how much faster a checksum
72	may be broken over the course of 2 years (MD5 using the above data is
73	>2000x), then existing checksums do not stand a significant chance of
74	survival in the future. We should thus accept that whatever checksums we
75	are using today, will be broken in the near future, and plan as best as
76	possible. (A brief review [H04] of the SHA1 attacks indicates an
77	improvement of ~600x in the same timespan).
78
79	And for those that claim implementation of these procedures is not yet
80	feasible, see [K06b] for an application that can produce two
81	self-extracting EXE files, with identical MD5s, and whatever payload you
82	want.
83
84	The good news
85	-------------
86	Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
87	one stands close to being completely broken: SHA1; and another is
88	significantly weakened: RIPEMD160. The SHA2 series has suffered some
89	attacks, but still remains reasonably solid [G07],[K08].
90
91	To reduce the potential for future problems and any single checksum
92	break leading to a rapid decrease in security, we should incorporate the
93	strongest hash available from each family of checksums, and be prepared
94	to retire old checksums actively, unless there is a overriding reason to
95	keep a specific checksum, such as part of a migration plan.
96
97	What should be done
98	-------------------
99	Portage should always try to verify all supported hashes that are
100	available in a Manifest2, starting with the strongest ones as maintained
101	by a preference list. Over time, the weaker checksums should be removed
102	from Manifest2 files, once all old Portage installations have had
103	sufficient time to upgrade. Stronger checksums shall be added as soon as
104	an implementation is available in Portage. Weak checksums may be removed
105	as long as the depreciation process is followed (see below).
106
107	As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
108	In future, as stream-based checksums are developed (in response to the
109	development by NIST [AHS]), they should be considered and used.
110
111	The SHA512 algorithm is available in Python 2.5, which has been a
112	dependency of Portage since approximately Portage 2.1.6.13.
113
114	The WHIRLPOOL checksum is not available within the PyCrypto library or
115	hashlib that is part of Python 2.5, but there are multiple alternative
116	Python implementations available, ranging from pure Python to C-based
117	(python-mhash).
118
119	The existence unsupported hash is not considered to be a failure unless
120	no supported hashes are available for a given Manifest entry.
121
122	Checksum depreciation timing
123	----------------------------
124	General principles:
125	~~~~~~~~~~~~~~~~~~~
126	A minimum set of depreciated checksums shall be maintained only to
127	support old package manager versions where needed by historically used
128	trees:
129
130	- New package manager versions should NOT use depreciated checksums in
131
132	- New trees with that have never used the depreciated checksums may omit
133	them for reasons of size, but are still strongly suggested to include
134	them.
135
136	- Removal of depreciated checksums shall happen after no less than 18
137	months or one major Portage version cycle, whichever is greater.
138
139	Immediate plans:
140	~~~~~~~~~~~~~~~~
141	For the current Portage, both SHA1 and RIPEMD160 should be immediately
142	removed, as they present no advantages over the already present SHA256.
143	SHA256 cannot be replaced immediately with SHA512, as existing Portage
144	versions need at least one supported algorithm present (SHA256 support
145	was added in June 2006), so it must be retained for some while.
146
147	Immediately:
148
149	- Add WHIRLPOOL and SHA512.
150
151	- Remove SHA1 and RIPEMD160.
152
153	After the majority of Portage installations include SHA512 support:
154
155	- Remove SHA256.
156
157	Backwards Compatibility
158	=======================
159	Old versions of Portage may support and expect only specific checksums.
160	This is accounted for in the checksum depreciation discussion.
161
162	For maximum compatiability, we should only have to include each of the
163	old algorithms that we are officially still supporting, as well as the
164	new ones that we prefer.
165
166	References
167	==========
168
169	[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
170	(Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/
171
172	[BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
173	Efficiently Combining Collision Resistant Hash Functions"; Proceedings
174	of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
175	4117, pp. 570-583. Available online from:
176	http://crypto.stanford.edu/~dabo/abstracts/hashing.html
177
178	[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
179	Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
180	Report 2004/204. Available online from:
181	http://eprint.iacr.org/2004/207.pdf
182
183	[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash
184	Functions - Application to Cascaded Constructions;" Proceedings of
185	CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
186	3152, pp. 306-316. Available online from:
187	http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
188
189	[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
190	Within a Minute". Cryptology ePrint Archive, Report 2006/105.
191	Available online from: http://eprint.iacr.org/2006/105.pdf
192
193	[K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
194	proof of concept tools". Available online from:
195	http://cryptography.hyperlink.cz/2006/trick.txt
196
197	[K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
198	Cryptology ePrint Archive, Report 2008/003. Available online from:
199	http://eprint.iacr.org/2008/003.pdf
200
201	[G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
202	Cryptology ePrint Archive, Report 2007/403. Available online from:
203	http://eprint.iacr.org/2007/403.pdf
204
205	[W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
206	HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
207	Archive, Report 2004/199, first version (August 16, 2004), second
208	version (August 17, 2004). Available online from:
209	http://eprint.iacr.org/2004/199.pdf
210
211	Thanks to
212	=========
213	I'd like to thank the following folks, in no specific order:
214	- Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
215	and also being stubborn enough in not accepting a partial solution.
216	- Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
217	(ferringb): for being knowledgeable about the Portage Manifest2
218	codebase.
219
220	References
221	==========
222	.. [GLEP44] Mauch, M. (2005) GLEP44 - Manifest2 format.
223	http://www.gentoo.org/proj/en/glep/glep-0044.html
224
225	Copyright
226	=========
227	Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
228	distributed only subject to the terms and conditions set forth in the
229	Open Publication License, v1.0.
230
231	.. vim: tw=72 ts=2 expandtab: