1 |
<?xml version="1.0" encoding="utf-8" ?> |
2 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
3 |
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
4 |
|
5 |
<head> |
6 |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
7 |
<meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" /> |
8 |
<title>GLEP 59 -- Manifest2 hash policies and security implications</title> |
9 |
<link rel="stylesheet" href="tools/glep.css" type="text/css" /></head> |
10 |
<body bgcolor="white"> |
11 |
<table class="navigation" cellpadding="0" cellspacing="0" |
12 |
width="100%" border="0"> |
13 |
<tr><td class="navicon" width="150" height="35"> |
14 |
<a href="http://www.gentoo.org/" title="Gentoo Linux Home Page"> |
15 |
<img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]" |
16 |
border="0" width="150" height="35" /></a></td> |
17 |
<td class="textlinks" align="left"> |
18 |
[<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>] |
19 |
[<b><a href="http://www.gentoo.org/proj/en/glep">GLEP Index</a></b>] |
20 |
[<b><a href="http://www.gentoo.org/proj/en/glep/glep-0059.txt">GLEP Source</a></b>] |
21 |
</td></tr></table> |
22 |
<table class="rfc2822 docutils field-list" frame="void" rules="none"> |
23 |
<col class="field-name" /> |
24 |
<col class="field-body" /> |
25 |
<tbody valign="top"> |
26 |
<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">59</td> |
27 |
</tr> |
28 |
<tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td> |
29 |
</tr> |
30 |
<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.7</td> |
31 |
</tr> |
32 |
<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2010/02/02 05:49:27</a></td> |
33 |
</tr> |
34 |
<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson <robbat2 at gentoo.org>,</td> |
35 |
</tr> |
36 |
<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
37 |
</tr> |
38 |
<tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td> |
39 |
</tr> |
40 |
<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td> |
41 |
</tr> |
42 |
<tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a></td> |
43 |
</tr> |
44 |
<tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td> |
45 |
</tr> |
46 |
<tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td> |
47 |
</tr> |
48 |
<tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td> |
49 |
</tr> |
50 |
<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009, January 2010</td> |
51 |
</tr> |
52 |
</tbody> |
53 |
</table> |
54 |
<hr /> |
55 |
<div class="contents topic" id="contents"> |
56 |
<p class="topic-title first">Contents</p> |
57 |
<ul class="simple"> |
58 |
<li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li> |
59 |
<li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li> |
60 |
<li><a class="reference internal" href="#specification" id="id3">Specification</a><ul> |
61 |
<li><a class="reference internal" href="#the-bad-news" id="id4">The bad news</a></li> |
62 |
<li><a class="reference internal" href="#how-fast-can-md5-be-broken" id="id5">How fast can MD5 be broken?</a></li> |
63 |
<li><a class="reference internal" href="#the-good-news" id="id6">The good news</a></li> |
64 |
<li><a class="reference internal" href="#what-should-be-done" id="id7">What should be done</a></li> |
65 |
<li><a class="reference internal" href="#checksum-depreciation-timing" id="id8">Checksum depreciation timing</a><ul> |
66 |
<li><a class="reference internal" href="#general-principles" id="id9">General principles:</a></li> |
67 |
<li><a class="reference internal" href="#immediate-plans" id="id10">Immediate plans:</a></li> |
68 |
</ul> |
69 |
</li> |
70 |
</ul> |
71 |
</li> |
72 |
<li><a class="reference internal" href="#backwards-compatibility" id="id11">Backwards Compatibility</a></li> |
73 |
<li><a class="reference internal" href="#references" id="id12">References</a></li> |
74 |
<li><a class="reference internal" href="#thanks-to" id="id13">Thanks to</a></li> |
75 |
<li><a class="reference internal" href="#copyright" id="id14">Copyright</a></li> |
76 |
</ul> |
77 |
</div> |
78 |
<div class="section" id="abstract"> |
79 |
<h1><a class="toc-backref" href="#id1">Abstract</a></h1> |
80 |
<p>While Manifest2 format allows multiple hashes, the question of which |
81 |
checksums should be present, why, and the security implications of such |
82 |
have never been resolved. This GLEP covers all of these issues, and |
83 |
makes recommendations as to how to handle checksums both now, and in |
84 |
future.</p> |
85 |
</div> |
86 |
<div class="section" id="motivation"> |
87 |
<h1><a class="toc-backref" href="#id2">Motivation</a></h1> |
88 |
<p>This GLEP is being written as part of the work on signing the Portage |
89 |
tree, but is only tangentially related to the actual signing of |
90 |
Manifests. Checksums present one possible weak point in the overall |
91 |
security of the tree - and a comprehensive security plan is needed.</p> |
92 |
<p>This GLEP is not mandatory for the tree-signing specification, but |
93 |
instead aims to improve the security of the hashes used in Manifest2. |
94 |
As such, it is also able to stand on it's own.</p> |
95 |
</div> |
96 |
<div class="section" id="specification"> |
97 |
<h1><a class="toc-backref" href="#id3">Specification</a></h1> |
98 |
<div class="section" id="the-bad-news"> |
99 |
<h2><a class="toc-backref" href="#id4">The bad news</a></h2> |
100 |
<p>First of all, I'd like to cover the bad news in checksum security. |
101 |
A much discussed point, as been the simple question: What is the |
102 |
security of multiple independent checksums on the same data? |
103 |
The most common position (and indeed the one previously held by myself), |
104 |
is that multiple checksums would be an increase in security, but we |
105 |
could not provably quantify the amount of security this added. |
106 |
The really bad news, is that this position is completely and utterly |
107 |
wrong. Many of you will be aghast at this. There is extremely little |
108 |
added security in multiple checksums as noted by Joux [J04]. For any set |
109 |
of checksums, the actual strength lies in that of the strongest |
110 |
checksum.</p> |
111 |
<p>Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5, |
112 |
HAVAL-128 and RIPEMD families of hashes.</p> |
113 |
</div> |
114 |
<div class="section" id="how-fast-can-md5-be-broken"> |
115 |
<h2><a class="toc-backref" href="#id5">How fast can MD5 be broken?</a></h2> |
116 |
<p>For a general collision, not a pre-image attack, since the announcement |
117 |
by Wang et al [W04], the time required to break MD5 has been massively |
118 |
reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and |
119 |
estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to |
120 |
less than in two years, to 17 seconds [K06a].</p> |
121 |
<ul class="simple"> |
122 |
<li>08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours</li> |
123 |
<li>03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours</li> |
124 |
<li>11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours</li> |
125 |
<li>03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours</li> |
126 |
<li>04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours</li> |
127 |
</ul> |
128 |
<p>If we accept a factor of 800x as a sample of how much faster a checksum |
129 |
may be broken over the course of 2 years (MD5 using the above data is |
130 |
>2000x), then existing checksums do not stand a significant chance of |
131 |
survival in the future. We should thus accept that whatever checksums we |
132 |
are using today, will be broken in the near future, and plan as best as |
133 |
possible. (A brief review [H04] of the SHA1 attacks indicates an |
134 |
improvement of ~600x in the same timespan).</p> |
135 |
<p>And for those that claim implementation of these procedures is not yet |
136 |
feasible, see [K06b] for an application that can produce two |
137 |
self-extracting EXE files, with identical MD5s, and whatever payload you |
138 |
want.</p> |
139 |
</div> |
140 |
<div class="section" id="the-good-news"> |
141 |
<h2><a class="toc-backref" href="#id6">The good news</a></h2> |
142 |
<p>Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160), |
143 |
one stands close to being completely broken: SHA1; and another is |
144 |
significantly weakened: RIPEMD160. The SHA2 series has suffered some |
145 |
attacks, but still remains reasonably solid [G07],[K08].</p> |
146 |
<p>To reduce the potential for future problems and any single checksum |
147 |
break leading to a rapid decrease in security, we should incorporate the |
148 |
strongest hash available from each family of checksums, and be prepared |
149 |
to retire old checksums actively, unless there is a overriding reason to |
150 |
keep a specific checksum, such as part of a migration plan.</p> |
151 |
</div> |
152 |
<div class="section" id="what-should-be-done"> |
153 |
<h2><a class="toc-backref" href="#id7">What should be done</a></h2> |
154 |
<p>Portage should always try to verify all supported hashes that are |
155 |
available in a Manifest2, starting with the strongest ones as maintained |
156 |
by a preference list. Over time, the weaker checksums should be removed |
157 |
from Manifest2 files, once all old Portage installations have had |
158 |
sufficient time to upgrade. Stronger checksums shall be added as soon as |
159 |
an implementation is available in Portage. Weak checksums may be removed |
160 |
as long as the depreciation process is followed (see below).</p> |
161 |
<p>As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms. |
162 |
In future, as stream-based checksums are developed (in response to the |
163 |
development by NIST [AHS]), they should be considered and used.</p> |
164 |
<p>The SHA512 algorithm is available in Python 2.5, which has been a |
165 |
dependency of Portage since approximately Portage 2.1.6.13.</p> |
166 |
<p>The WHIRLPOOL checksum is not available within the PyCrypto library or |
167 |
hashlib that is part of Python 2.5, but there are multiple alternative |
168 |
Python implementations available, ranging from pure Python to C-based |
169 |
(python-mhash).</p> |
170 |
<p>The existence unsupported hash is not considered to be a failure unless |
171 |
no supported hashes are available for a given Manifest entry.</p> |
172 |
</div> |
173 |
<div class="section" id="checksum-depreciation-timing"> |
174 |
<h2><a class="toc-backref" href="#id8">Checksum depreciation timing</a></h2> |
175 |
<div class="section" id="general-principles"> |
176 |
<h3><a class="toc-backref" href="#id9">General principles:</a></h3> |
177 |
<p>A minimum set of depreciated checksums shall be maintained only to |
178 |
support old package manager versions where needed by historically used |
179 |
trees:</p> |
180 |
<ul class="simple"> |
181 |
<li>New package manager versions should NOT use depreciated checksums in</li> |
182 |
<li>New trees with that have never used the depreciated checksums may omit |
183 |
them for reasons of size, but are still strongly suggested to include |
184 |
them.</li> |
185 |
<li>Removal of depreciated checksums shall happen after no less than 18 |
186 |
months or one major Portage version cycle, whichever is greater.</li> |
187 |
</ul> |
188 |
</div> |
189 |
<div class="section" id="immediate-plans"> |
190 |
<h3><a class="toc-backref" href="#id10">Immediate plans:</a></h3> |
191 |
<p>For the current Portage, both SHA1 and RIPEMD160 should be immediately |
192 |
removed, as they present no advantages over the already present SHA256. |
193 |
SHA256 cannot be replaced immediately with SHA512, as existing Portage |
194 |
versions need at least one supported algorithm present (SHA256 support |
195 |
was added in June 2006), so it must be retained for some while.</p> |
196 |
<p>Immediately:</p> |
197 |
<ul class="simple"> |
198 |
<li>Add WHIRLPOOL and SHA512.</li> |
199 |
<li>Remove SHA1 and RIPEMD160.</li> |
200 |
</ul> |
201 |
<p>After the majority of Portage installations include SHA512 support:</p> |
202 |
<ul class="simple"> |
203 |
<li>Remove SHA256.</li> |
204 |
</ul> |
205 |
</div> |
206 |
</div> |
207 |
</div> |
208 |
<div class="section" id="backwards-compatibility"> |
209 |
<h1><a class="toc-backref" href="#id11">Backwards Compatibility</a></h1> |
210 |
<p>Old versions of Portage may support and expect only specific checksums. |
211 |
This is accounted for in the checksum depreciation discussion.</p> |
212 |
<p>For maximum compatiability, we should only have to include each of the |
213 |
old algorithms that we are officially still supporting, as well as the |
214 |
new ones that we prefer.</p> |
215 |
</div> |
216 |
<div class="section" id="references"> |
217 |
<h1><a class="toc-backref" href="#id12">References</a></h1> |
218 |
<dl class="docutils"> |
219 |
<dt>[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",</dt> |
220 |
<dd>(Advanced Hash Standard). <a class="reference external" href="http://csrc.nist.gov/pki/HashWorkshop/">http://csrc.nist.gov/pki/HashWorkshop/</a></dd> |
221 |
<dt>[BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of</dt> |
222 |
<dd>Efficiently Combining Collision Resistant Hash Functions"; Proceedings |
223 |
of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science |
224 |
4117, pp. 570-583. Available online from: |
225 |
<a class="reference external" href="http://crypto.stanford.edu/~dabo/abstracts/hashing.html">http://crypto.stanford.edu/~dabo/abstracts/hashing.html</a></dd> |
226 |
<dt>[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective</dt> |
227 |
<dd>Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive, |
228 |
Report 2004/204. Available online from: |
229 |
<a class="reference external" href="http://eprint.iacr.org/2004/207.pdf">http://eprint.iacr.org/2004/207.pdf</a></dd> |
230 |
<dt>[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash</dt> |
231 |
<dd>Functions - Application to Cascaded Constructions;" Proceedings of |
232 |
CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science |
233 |
3152, pp. 306-316. Available online from: |
234 |
<a class="reference external" href="http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf">http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf</a></dd> |
235 |
<dt>[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions</dt> |
236 |
<dd>Within a Minute". Cryptology ePrint Archive, Report 2006/105. |
237 |
Available online from: <a class="reference external" href="http://eprint.iacr.org/2006/105.pdf">http://eprint.iacr.org/2006/105.pdf</a></dd> |
238 |
<dt>[K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision</dt> |
239 |
<dd>proof of concept tools". Available online from: |
240 |
<a class="reference external" href="http://cryptography.hyperlink.cz/2006/trick.txt">http://cryptography.hyperlink.cz/2006/trick.txt</a></dd> |
241 |
<dt>[K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".</dt> |
242 |
<dd>Cryptology ePrint Archive, Report 2008/003. Available online from: |
243 |
<a class="reference external" href="http://eprint.iacr.org/2008/003.pdf">http://eprint.iacr.org/2008/003.pdf</a></dd> |
244 |
<dt>[G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".</dt> |
245 |
<dd>Cryptology ePrint Archive, Report 2007/403. Available online from: |
246 |
<a class="reference external" href="http://eprint.iacr.org/2007/403.pdf">http://eprint.iacr.org/2007/403.pdf</a></dd> |
247 |
<dt>[W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,</dt> |
248 |
<dd>HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint |
249 |
Archive, Report 2004/199, first version (August 16, 2004), second |
250 |
version (August 17, 2004). Available online from: |
251 |
<a class="reference external" href="http://eprint.iacr.org/2004/199.pdf">http://eprint.iacr.org/2004/199.pdf</a></dd> |
252 |
</dl> |
253 |
</div> |
254 |
<div class="section" id="thanks-to"> |
255 |
<h1><a class="toc-backref" href="#id13">Thanks to</a></h1> |
256 |
<dl class="docutils"> |
257 |
<dt>I'd like to thank the following folks, in no specific order:</dt> |
258 |
<dd><ul class="first last simple"> |
259 |
<li>Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper, |
260 |
and also being stubborn enough in not accepting a partial solution.</li> |
261 |
<li>Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring |
262 |
(ferringb): for being knowledgeable about the Portage Manifest2 |
263 |
codebase.</li> |
264 |
</ul> |
265 |
</dd> |
266 |
</dl> |
267 |
</div> |
268 |
<div class="section" id="copyright"> |
269 |
<h1><a class="toc-backref" href="#id14">Copyright</a></h1> |
270 |
<p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be |
271 |
distributed only subject to the terms and conditions set forth in the |
272 |
Open Publication License, v1.0.</p> |
273 |
<p>vim: tw=72 ts=2 expandtab:</p> |
274 |
</div> |
275 |
|
276 |
</div> |
277 |
<div class="footer"> |
278 |
<hr class="footer" /> |
279 |
<a class="reference external" href="glep-0059.txt">View document source</a>. |
280 |
Generated on: 2010-02-07 10:37 UTC. |
281 |
Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
282 |
|
283 |
</div> |
284 |
</body> |
285 |
</html> |