Contents of /xml/htdocs/proj/en/glep/glep-0059.html

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.3 - (show annotations) (download) (as text)
Tue Oct 28 07:47:52 2008 UTC (10 years, 4 months ago) by robbat2
Branch: MAIN
Changes since 1.2: +6 -4 lines
File MIME type: text/html
Regen HTML.

1 <?xml version="1.0" encoding="utf-8" ?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
5 <head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" />
8 <title>GLEP 59 -- Manifest2 hash policies and security implications</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10 <body bgcolor="white">
11 <table class="navigation" cellpadding="0" cellspacing="0"
12 width="100%" border="0">
13 <tr><td class="navicon" width="150" height="35">
14 <a href="http://www.gentoo.org/" title="Gentoo Linux Home Page">
15 <img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]"
16 border="0" width="150" height="35" /></a></td>
17 <td class="textlinks" align="left">
18 [<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>]
19 [<b><a href="http://www.gentoo.org/proj/en/glep">GLEP Index</a></b>]
20 [<b><a href="http://www.gentoo.org/proj/en/glep/glep-0059.txt">GLEP Source</a></b>]
21 </td></tr></table>
22 <table class="rfc2822 docutils field-list" frame="void" rules="none">
23 <col class="field-name" />
24 <col class="field-body" />
25 <tbody valign="top">
26 <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">59</td>
27 </tr>
28 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td>
29 </tr>
30 <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.3</td>
31 </tr>
32 <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2008/10/28 07:45:44</a></td>
33 </tr>
34 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
35 </tr>
36 <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
37 </tr>
38 <tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td>
39 </tr>
40 <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
41 </tr>
42 <tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a></td>
43 </tr>
44 <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td>
45 </tr>
46 <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008</td>
47 </tr>
48 <tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td>
49 </tr>
50 <tr class="field"><th class="field-name">Post-History:</th><td class="field-body"></td>
51 </tr>
52 </tbody>
53 </table>
54 <hr />
55 <div class="contents topic" id="contents">
56 <p class="topic-title first">Contents</p>
57 <ul class="simple">
58 <li><a class="reference internal" href="#abstract" id="id1">Abstract</a></li>
59 <li><a class="reference internal" href="#motivation" id="id2">Motivation</a></li>
60 <li><a class="reference internal" href="#specification" id="id3">Specification</a><ul>
61 <li><a class="reference internal" href="#the-bad-news" id="id4">The bad news</a></li>
62 <li><a class="reference internal" href="#how-fast-can-md5-be-broken" id="id5">How fast can MD5 be broken?</a></li>
63 <li><a class="reference internal" href="#the-good-news" id="id6">The good news</a></li>
64 <li><a class="reference internal" href="#what-should-be-done" id="id7">What should be done</a><ul>
65 <li><a class="reference internal" href="#checksum-depreciation" id="id8">Checksum depreciation</a></li>
66 </ul>
67 </li>
68 </ul>
69 </li>
70 <li><a class="reference internal" href="#backwards-compatibility" id="id9">Backwards Compatibility</a></li>
71 <li><a class="reference internal" href="#references" id="id10">References</a></li>
72 <li><a class="reference internal" href="#thanks-to" id="id11">Thanks to</a></li>
73 <li><a class="reference internal" href="#copyright" id="id12">Copyright</a></li>
74 </ul>
75 </div>
76 <div class="section" id="abstract">
77 <h1><a class="toc-backref" href="#id1">Abstract</a></h1>
78 <p>While Manifest2 format allows multiple hashes, the question of which
79 checksums should be present, why, and the security implications of such
80 have never been resolved. This GLEP covers all of these issues, and
81 makes recommendations as to how to handle checksums both now, and in
82 future.</p>
83 </div>
84 <div class="section" id="motivation">
85 <h1><a class="toc-backref" href="#id2">Motivation</a></h1>
86 <p>This GLEP is being written as part of the work on signing the Portage
87 tree, but is only tangentially related to the actual signing of
88 Manifests. Checksums present one possible weak point in the overall
89 security of the tree - and a comprehensive security plan is needed.</p>
90 </div>
91 <div class="section" id="specification">
92 <h1><a class="toc-backref" href="#id3">Specification</a></h1>
93 <div class="section" id="the-bad-news">
94 <h2><a class="toc-backref" href="#id4">The bad news</a></h2>
95 <p>First of all, I'd like to cover the bad news in checksum security.
96 A much discussed point, as been the simple question: What is the
97 security of multiple independent checksums on the same data?
98 The most common position (and indeed the one previously held by myself),
99 is that multiple checksums would be an increase in security, but we
100 could not provably quantify the amount of security this added.
101 The really bad news, is that this position is completely and utterly
102 wrong. Many of you will be aghast at this. There is extremely little
103 added security in multiple checksums [J04]. For any set of checksums,
104 the actual strength lies in that of the strongest checksum.</p>
105 </div>
106 <div class="section" id="how-fast-can-md5-be-broken">
107 <h2><a class="toc-backref" href="#id5">How fast can MD5 be broken?</a></h2>
108 <p>For a general collision, not a pre-image attack, since the original
109 announcement by Wang et al [W04], the time required to break MD5 has
110 been massively reduced. Originally at 1 hour on a near-supercomputer
111 (IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has
112 gone down to less than in two years, to 17 seconds [K06a]!</p>
113 <p>08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
114 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
115 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
116 03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
117 04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours</p>
118 <p>If we accept a factor of 800x as a sample of how much faster a checksum
119 may be broken over the course of 2 years (MD5 using the above data is
120 &gt;2000x), then existing checksums do not stand a significant chance of
121 survival in the future. We should thus accept that whatever checksums we
122 are using today, will be broken in the near future, and plan as best as
123 possible. (A brief review [H04] of the present SHA1 attacks indicates an
124 improvement of ~600x in the same timespan).</p>
125 <p>And for those that claim implementation of these procedures is not yet
126 feasible, see [K06b] for an application that can produce two
127 self-extracting .exe files, with identical MD5s, and whatever payload
128 you want.</p>
129 </div>
130 <div class="section" id="the-good-news">
131 <h2><a class="toc-backref" href="#id6">The good news</a></h2>
132 <p>Of the checksums presently used by Manifest2, one stands close to being
133 completely broken: SHA1. The SHA2 series has suffered some attacks, but
134 still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160
135 have been published, however it is constructed in the same manner as
136 MD5, SHA1 and SHA2, so is also vulnerable to the new methods of
137 cryptanalysis [H04].</p>
138 <p>To reduce the potential for future problems and any single checksum
139 break leading to a rapid decrease in security, we should incorporate the
140 strongest hash available from each family of checksums, and be prepared
141 to retire old checksums actively, unless there is a overriding reason to
142 keep a specific checksum.</p>
143 </div>
144 <div class="section" id="what-should-be-done">
145 <h2><a class="toc-backref" href="#id7">What should be done</a></h2>
146 <p>Portage should always try to verify all supported hashes that are
147 available in a Manifest2, starting with the strongest ones as maintained
148 by a preference list. Over time, the weaker checksums should be removed
149 from Manifest2 files, once all old Portage installations have had
150 sufficient time to upgrade. We should be prepared to add stronger
151 checksums wherever possible, and to remove those that have been
152 defeated.</p>
153 <p>An unsupported hash is not considered to be a failure unless no
154 supported hashes are available.</p>
155 <div class="section" id="checksum-depreciation">
156 <h3><a class="toc-backref" href="#id8">Checksum depreciation</a></h3>
157 <p>For the current Portage, SHA1 should be gradually removed, as presents
158 no advantages over SHA256. Beyond one specific problem (see the next
159 paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool
160 checksum (standardized checksum, with no known weaknesses). In future,
161 as stream-based checksums are developed (in response to the development
162 by NIST [AHS]), they should be considered and used.</p>
163 <p>There is one temporary stumbling block at hand - the existing Portage
164 infrastructure does not support SHA384/512 or Whirlpool, thus hampering
165 their immediate acceptance. SHA512 is available in Python 2.5, while
166 SHA1 is already available in Python 2.4. After Python2.5 is established
167 in a Gentoo media release, that would be a suitable time to remove SHA1
168 from Manifest2 files.</p>
169 </div>
170 </div>
171 </div>
172 <div class="section" id="backwards-compatibility">
173 <h1><a class="toc-backref" href="#id9">Backwards Compatibility</a></h1>
174 <p>Old versions of Portage may support and expect only specific checksums.
175 This is accounted for in the checksum depreciation discussion.</p>
176 </div>
177 <div class="section" id="references">
178 <h1><a class="toc-backref" href="#id10">References</a></h1>
179 <dl class="docutils">
180 <dt>[AHS] NIST (2007). &quot;NIST's Plan for New Cryptographic Hash Functions&quot;,</dt>
181 <dd>(Advanced Hash Standard). <a class="reference external" href="http://csrc.nist.gov/pki/HashWorkshop/">http://csrc.nist.gov/pki/HashWorkshop/</a></dd>
182 <dt>[BOBO06] Boneh, D. and Boyen, X. (2006). &quot;On the Impossibility of</dt>
183 <dd>Efficiently Combining Collision Resistant Hash Functions&quot;; Proceedings
184 of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
185 4117, pp. 570-583. Available online from:
186 <a class="reference external" href="http://crypto.stanford.edu/~dabo/abstracts/hashing.html">http://crypto.stanford.edu/~dabo/abstracts/hashing.html</a></dd>
187 <dt>[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). &quot;On Corrective</dt>
188 <dd>Patterns for the SHA-2 Family&quot;. CRYPTO 2004 Cryptology ePrint Archive,
189 Report 2004/204. Available online from:
190 <a class="reference external" href="http://eprint.iacr.org/2004/207.pdf">http://eprint.iacr.org/2004/207.pdf</a></dd>
191 <dt>[J04] Joux, Antoie. (2004). &quot;Multicollisions in Iterated Hash</dt>
192 <dd>Functions - Application to Cascaded Constructions;&quot; Proceedings of
193 CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
194 3152, pp. 306-316. Available online from:
195 <a class="reference external" href="http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf">http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf</a></dd>
196 <dt>[K06a] Klima, V. (2006). &quot;Tunnels in Hash Functions: MD5 Collisions</dt>
197 <dd>Within a Minute&quot;. Cryptology ePrint Archive, Report 2006/105.
198 Available online from: <a class="reference external" href="http://eprint.iacr.org/2006/105.pdf">http://eprint.iacr.org/2006/105.pdf</a></dd>
199 <dt>[K06b] Klima, V. (2006). &quot;Note and links to high-speed MD5 collision</dt>
200 <dd>proof of concept tools&quot;. Available online from:
201 <a class="reference external" href="http://cryptography.hyperlink.cz/2006/trick.txt">http://cryptography.hyperlink.cz/2006/trick.txt</a></dd>
202 <dt>[K08] Klima, V. (2008). &quot;On Collisions of Hash Functions Turbo SHA-2&quot;.</dt>
203 <dd>Cryptology ePrint Archive, Report 2008/003. Available online from:
204 <a class="reference external" href="http://eprint.iacr.org/2008/003.pdf">http://eprint.iacr.org/2008/003.pdf</a></dd>
205 <dt>[G07] Gligoroski, D. and Knapskog, S.J. (2007). &quot;Turbo SHA-2&quot;.</dt>
206 <dd>Cryptology ePrint Archive, Report 2007/403. Available online from:
207 <a class="reference external" href="http://eprint.iacr.org/2007/403.pdf">http://eprint.iacr.org/2007/403.pdf</a></dd>
208 <dt>[W04] Wang, X. et al: &quot;Collisions for Hash Functions MD4, MD5,</dt>
209 <dd>HAVAL-128 and RIPEMD&quot;, rump session, CRYPTO 2004, Cryptology ePrint
210 Archive, Report 2004/199, first version (August 16, 2004), second
211 version (August 17, 2004). Available online from:
212 <a class="reference external" href="http://eprint.iacr.org/2004/199.pdf">http://eprint.iacr.org/2004/199.pdf</a></dd>
213 </dl>
214 </div>
215 <div class="section" id="thanks-to">
216 <h1><a class="toc-backref" href="#id11">Thanks to</a></h1>
217 <dl class="docutils">
218 <dt>I'd like to thank the following folks, in no specific order:</dt>
219 <dd><ul class="first last simple">
220 <li>Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
221 and also being stubborn enough in not accepting a partial solution.</li>
222 <li>Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
223 (ferringb): for being knowledgeable about the Portage Manifest2
224 codebase.</li>
225 </ul>
226 </dd>
227 </dl>
228 </div>
229 <div class="section" id="copyright">
230 <h1><a class="toc-backref" href="#id12">Copyright</a></h1>
231 <p>Copyright (c) 2006 by Robin Hugh Johnson. This material may be
232 distributed only subject to the terms and conditions set forth in the
233 Open Publication License, v1.0.</p>
234 <p>vim: tw=72 ts=2 expandtab:</p>
235 </div>
237 </div>
238 <div class="footer">
239 <hr class="footer" />
240 <a class="reference external" href="glep-0059.txt">View document source</a>.
241 Generated on: 2008-10-28 07:47 UTC.
242 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
244 </div>
245 </body>
246 </html>

  ViewVC Help
Powered by ViewVC 1.1.20