--- xml/htdocs/proj/en/glep/glep-0059.html 2010/01/13 03:28:33 1.4 +++ xml/htdocs/proj/en/glep/glep-0059.html 2010/01/31 07:55:45 1.5 @@ -47,7 +47,7 @@
Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5, +HAVAL-128 and RIPEMD families of hashes.
For a general collision, not a pre-image attack, since the original -announcement by Wang et al [W04], the time required to break MD5 has -been massively reduced. Originally at 1 hour on a near-supercomputer -(IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has -gone down to less than in two years, to 17 seconds [K06a]!+
For a general collision, not a pre-image attack, since the announcement +by Wang et al [W04], the time required to break MD5 has been massively +reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and +estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to +less than in two years, to 17 seconds [K06a].
08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours @@ -120,26 +121,24 @@ >2000x), then existing checksums do not stand a significant chance of survival in the future. We should thus accept that whatever checksums we are using today, will be broken in the near future, and plan as best as -possible. (A brief review [H04] of the present SHA1 attacks indicates an +possible. (A brief review [H04] of the SHA1 attacks indicates an improvement of ~600x in the same timespan).
And for those that claim implementation of these procedures is not yet feasible, see [K06b] for an application that can produce two -self-extracting .exe files, with identical MD5s, and whatever payload -you want.+self-extracting EXE files, with identical MD5s, and whatever payload you +want.
Of the checksums presently used by Manifest2, one stands close to being -completely broken: SHA1. The SHA2 series has suffered some attacks, but -still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160 -have been published, however it is constructed in the same manner as -MD5, SHA1 and SHA2, so is also vulnerable to the new methods of -cryptanalysis [H04].+
Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160), +one stands close to being completely broken: SHA1; and another is +significantly weakened: RIPEMD160. The SHA2 series has suffered some +attacks, but still remains reasonably solid [G07],[K08].
To reduce the potential for future problems and any single checksum break leading to a rapid decrease in security, we should incorporate the strongest hash available from each family of checksums, and be prepared to retire old checksums actively, unless there is a overriding reason to -keep a specific checksum.+keep a specific checksum, such as part of a migration plan.
An unsupported hash is not considered to be a failure unless no -supported hashes are available.-
For the current Portage, SHA1 should be gradually removed, as presents -no advantages over SHA256. Beyond one specific problem (see the next -paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool -checksum (standardized checksum, with no known weaknesses). In future, -as stream-based checksums are developed (in response to the development -by NIST [AHS]), they should be considered and used.-
There is one temporary stumbling block at hand - the existing Portage -infrastructure does not support SHA384/512 or Whirlpool, thus hampering -their immediate acceptance. SHA512 is available in Python 2.5, while -SHA1 is already available in Python 2.4. After Python2.5 is established -in a Gentoo media release, that would be a suitable time to remove SHA1 -from Manifest2 files.-
As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms. +In future, as stream-based checksums are developed (in response to the +development by NIST [AHS]), they should be considered and used.+
The SHA512 algorithm is available in Python 2.5, which has been a +dependency of Portage since approximately Python 188.8.131.52.+
The WHIRLPOOL checksum is not available within the PyCrypto library or +hashlib that is part of Python 2.5, but there are multiple alternative +Python implementations available, ranging from pure Python to C-based +(python-mhash).+
The existence unsupported hash is not considered to be a failure unless +no supported hashes are available for a given Manifest entry.+
For the current Portage, both SHA1 and RIPEMD160 should be immediately +removed, as they present no advantages over the already present SHA256. +SHA256 cannot be replaced immediately with SHA512, as existing Portage +versions need at least one supported algorithm present (SHA256 support +was added in June 2006), so it must be retained for some while.+
Immediately: +- Add WHIRLPOOL and SHA512. +- Remove SHA1 and RIPEMD160.+
After the majority of Portage installations include SHA512 support: +- Remove SHA256.