Contents of /xml/htdocs/proj/en/glep/glep-0059.html

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.11 - (hide annotations) (download) (as text)
Wed Apr 7 21:56:59 2010 UTC (8 years, 11 months ago) by robbat2
Branch: MAIN
Changes since 1.10: +45 -34 lines
File MIME type: text/html
Sync HTML for updated references.

1 cardoe 1.1 <?xml version="1.0" encoding="utf-8" ?>
2     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3     <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
5     <head>
6     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 robbat2 1.4 <meta name="generator" content="Docutils 0.6: http://docutils.sourceforge.net/" />
8 cardoe 1.1 <title>GLEP 59 -- Manifest2 hash policies and security implications</title>
9     <link rel="stylesheet" href="tools/glep.css" type="text/css" /></head>
10     <body bgcolor="white">
11     <table class="navigation" cellpadding="0" cellspacing="0"
12     width="100%" border="0">
13     <tr><td class="navicon" width="150" height="35">
14     <a href="http://www.gentoo.org/" title="Gentoo Linux Home Page">
15     <img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]"
16     border="0" width="150" height="35" /></a></td>
17     <td class="textlinks" align="left">
18     [<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>]
19     [<b><a href="http://www.gentoo.org/proj/en/glep">GLEP Index</a></b>]
20     [<b><a href="http://www.gentoo.org/proj/en/glep/glep-0059.txt">GLEP Source</a></b>]
21     </td></tr></table>
22     <table class="rfc2822 docutils field-list" frame="void" rules="none">
23     <col class="field-name" />
24     <col class="field-body" />
25     <tbody valign="top">
26     <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">59</td>
27     </tr>
28     <tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td>
29     </tr>
30 robbat2 1.11 <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.9</td>
31 cardoe 1.1 </tr>
32 robbat2 1.11 <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2010/04/07 21:34:24</a></td>
33 cardoe 1.1 </tr>
34     <tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
35     </tr>
36     <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
37     </tr>
38     <tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td>
39     </tr>
40     <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference external" href="glep-0002.html">text/x-rst</a></td>
41     </tr>
42     <tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/proj/en/glepglep-0044.html">44</a></td>
43     </tr>
44     <tr class="field"><th class="field-name">Created:</th><td class="field-body">October 2006</td>
45     </tr>
46 robbat2 1.4 <tr class="field"><th class="field-name">Updated:</th><td class="field-body">November 2007, June 2008, July 2008, October 2008, January 2010</td>
47 cardoe 1.1 </tr>
48     <tr class="field"><th class="field-name">Updates:</th><td class="field-body">44</td>
49     </tr>
50 robbat2 1.5 <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">December 2009, January 2010</td>
51 robbat2 1.3 </tr>
52 cardoe 1.1 </tbody>
53     </table>
54     <hr />
55     <div class="contents topic" id="contents">
56     <p class="topic-title first">Contents</p>
57     <ul class="simple">
58 robbat2 1.11 <li><a class="reference internal" href="#abstract" id="id2">Abstract</a></li>
59     <li><a class="reference internal" href="#motivation" id="id3">Motivation</a></li>
60     <li><a class="reference internal" href="#specification" id="id4">Specification</a><ul>
61     <li><a class="reference internal" href="#the-bad-news" id="id5">The bad news</a></li>
62     <li><a class="reference internal" href="#how-fast-can-md5-be-broken" id="id6">How fast can MD5 be broken?</a></li>
63     <li><a class="reference internal" href="#the-good-news" id="id7">The good news</a></li>
64     <li><a class="reference internal" href="#what-should-be-done" id="id8">What should be done</a></li>
65     <li><a class="reference internal" href="#checksum-depreciation-timing" id="id9">Checksum depreciation timing</a><ul>
66     <li><a class="reference internal" href="#general-principles" id="id10">General principles:</a></li>
67     <li><a class="reference internal" href="#immediate-plans" id="id11">Immediate plans:</a></li>
68 cardoe 1.1 </ul>
69     </li>
70 robbat2 1.10 </ul>
71     </li>
72 robbat2 1.11 <li><a class="reference internal" href="#backwards-compatibility" id="id12">Backwards Compatibility</a></li>
73     <li><a class="reference internal" href="#references" id="id13">References</a></li>
74     <li><a class="reference internal" href="#thanks-to" id="id14">Thanks to</a></li>
75     <li><a class="reference internal" href="#id1" id="id15">References</a></li>
76     <li><a class="reference internal" href="#copyright" id="id16">Copyright</a></li>
77 cardoe 1.1 </ul>
78     </div>
79     <div class="section" id="abstract">
80 robbat2 1.11 <h1><a class="toc-backref" href="#id2">Abstract</a></h1>
81 cardoe 1.1 <p>While Manifest2 format allows multiple hashes, the question of which
82     checksums should be present, why, and the security implications of such
83     have never been resolved. This GLEP covers all of these issues, and
84     makes recommendations as to how to handle checksums both now, and in
85     future.</p>
86     </div>
87     <div class="section" id="motivation">
88 robbat2 1.11 <h1><a class="toc-backref" href="#id3">Motivation</a></h1>
89 cardoe 1.1 <p>This GLEP is being written as part of the work on signing the Portage
90     tree, but is only tangentially related to the actual signing of
91     Manifests. Checksums present one possible weak point in the overall
92     security of the tree - and a comprehensive security plan is needed.</p>
93 robbat2 1.8 <p>This GLEP is not mandatory for the tree-signing specification, but
94 robbat2 1.11 instead aims to improve the security of the hashes used in Manifest2
95     [GLEP44]. As such, it is also able to stand on it's own.</p>
96 cardoe 1.1 </div>
97     <div class="section" id="specification">
98 robbat2 1.11 <h1><a class="toc-backref" href="#id4">Specification</a></h1>
99 cardoe 1.1 <div class="section" id="the-bad-news">
100 robbat2 1.11 <h2><a class="toc-backref" href="#id5">The bad news</a></h2>
101 cardoe 1.1 <p>First of all, I'd like to cover the bad news in checksum security.
102     A much discussed point, as been the simple question: What is the
103     security of multiple independent checksums on the same data?
104     The most common position (and indeed the one previously held by myself),
105     is that multiple checksums would be an increase in security, but we
106     could not provably quantify the amount of security this added.
107     The really bad news, is that this position is completely and utterly
108     wrong. Many of you will be aghast at this. There is extremely little
109 robbat2 1.5 added security in multiple checksums as noted by Joux [J04]. For any set
110     of checksums, the actual strength lies in that of the strongest
111     checksum.</p>
112     <p>Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5,
113     HAVAL-128 and RIPEMD families of hashes.</p>
114 cardoe 1.1 </div>
115     <div class="section" id="how-fast-can-md5-be-broken">
116 robbat2 1.11 <h2><a class="toc-backref" href="#id6">How fast can MD5 be broken?</a></h2>
117 robbat2 1.5 <p>For a general collision, not a pre-image attack, since the announcement
118     by Wang et al [W04], the time required to break MD5 has been massively
119     reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and
120     estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to
121     less than in two years, to 17 seconds [K06a].</p>
122 robbat2 1.10 <ul class="simple">
123     <li>08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours</li>
124     <li>03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours</li>
125     <li>11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours</li>
126     <li>03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours</li>
127     <li>04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours</li>
128     </ul>
129 cardoe 1.1 <p>If we accept a factor of 800x as a sample of how much faster a checksum
130     may be broken over the course of 2 years (MD5 using the above data is
131     &gt;2000x), then existing checksums do not stand a significant chance of
132     survival in the future. We should thus accept that whatever checksums we
133     are using today, will be broken in the near future, and plan as best as
134 robbat2 1.5 possible. (A brief review [H04] of the SHA1 attacks indicates an
135 cardoe 1.1 improvement of ~600x in the same timespan).</p>
136     <p>And for those that claim implementation of these procedures is not yet
137     feasible, see [K06b] for an application that can produce two
138 robbat2 1.5 self-extracting EXE files, with identical MD5s, and whatever payload you
139     want.</p>
140 cardoe 1.1 </div>
141     <div class="section" id="the-good-news">
142 robbat2 1.11 <h2><a class="toc-backref" href="#id7">The good news</a></h2>
143 robbat2 1.5 <p>Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160),
144     one stands close to being completely broken: SHA1; and another is
145     significantly weakened: RIPEMD160. The SHA2 series has suffered some
146     attacks, but still remains reasonably solid [G07],[K08].</p>
147 cardoe 1.1 <p>To reduce the potential for future problems and any single checksum
148     break leading to a rapid decrease in security, we should incorporate the
149     strongest hash available from each family of checksums, and be prepared
150     to retire old checksums actively, unless there is a overriding reason to
151 robbat2 1.5 keep a specific checksum, such as part of a migration plan.</p>
152 cardoe 1.1 </div>
153     <div class="section" id="what-should-be-done">
154 robbat2 1.11 <h2><a class="toc-backref" href="#id8">What should be done</a></h2>
155 cardoe 1.1 <p>Portage should always try to verify all supported hashes that are
156     available in a Manifest2, starting with the strongest ones as maintained
157     by a preference list. Over time, the weaker checksums should be removed
158     from Manifest2 files, once all old Portage installations have had
159 robbat2 1.10 sufficient time to upgrade. Stronger checksums shall be added as soon as
160     an implementation is available in Portage. Weak checksums may be removed
161     as long as the depreciation process is followed (see below).</p>
162 robbat2 1.5 <p>As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
163     In future, as stream-based checksums are developed (in response to the
164     development by NIST [AHS]), they should be considered and used.</p>
165     <p>The SHA512 algorithm is available in Python 2.5, which has been a
166 robbat2 1.9 dependency of Portage since approximately Portage</p>
167 robbat2 1.5 <p>The WHIRLPOOL checksum is not available within the PyCrypto library or
168     hashlib that is part of Python 2.5, but there are multiple alternative
169     Python implementations available, ranging from pure Python to C-based
170     (python-mhash).</p>
171     <p>The existence unsupported hash is not considered to be a failure unless
172     no supported hashes are available for a given Manifest entry.</p>
173     </div>
174     <div class="section" id="checksum-depreciation-timing">
175 robbat2 1.11 <h2><a class="toc-backref" href="#id9">Checksum depreciation timing</a></h2>
176 robbat2 1.10 <div class="section" id="general-principles">
177 robbat2 1.11 <h3><a class="toc-backref" href="#id10">General principles:</a></h3>
178 robbat2 1.10 <p>A minimum set of depreciated checksums shall be maintained only to
179     support old package manager versions where needed by historically used
180     trees:</p>
181     <ul class="simple">
182     <li>New package manager versions should NOT use depreciated checksums in</li>
183     <li>New trees with that have never used the depreciated checksums may omit
184     them for reasons of size, but are still strongly suggested to include
185     them.</li>
186     <li>Removal of depreciated checksums shall happen after no less than 18
187     months or one major Portage version cycle, whichever is greater.</li>
188     </ul>
189     </div>
190     <div class="section" id="immediate-plans">
191 robbat2 1.11 <h3><a class="toc-backref" href="#id11">Immediate plans:</a></h3>
192 robbat2 1.5 <p>For the current Portage, both SHA1 and RIPEMD160 should be immediately
193     removed, as they present no advantages over the already present SHA256.
194     SHA256 cannot be replaced immediately with SHA512, as existing Portage
195     versions need at least one supported algorithm present (SHA256 support
196     was added in June 2006), so it must be retained for some while.</p>
197 robbat2 1.10 <p>Immediately:</p>
198     <ul class="simple">
199     <li>Add WHIRLPOOL and SHA512.</li>
200     <li>Remove SHA1 and RIPEMD160.</li>
201     </ul>
202     <p>After the majority of Portage installations include SHA512 support:</p>
203     <ul class="simple">
204     <li>Remove SHA256.</li>
205     </ul>
206     </div>
207 cardoe 1.1 </div>
208     </div>
209     <div class="section" id="backwards-compatibility">
210 robbat2 1.11 <h1><a class="toc-backref" href="#id12">Backwards Compatibility</a></h1>
211 cardoe 1.1 <p>Old versions of Portage may support and expect only specific checksums.
212     This is accounted for in the checksum depreciation discussion.</p>
213 robbat2 1.9 <p>For maximum compatiability, we should only have to include each of the
214     old algorithms that we are officially still supporting, as well as the
215     new ones that we prefer.</p>
216 cardoe 1.1 </div>
217     <div class="section" id="references">
218 robbat2 1.11 <h1><a class="toc-backref" href="#id13">References</a></h1>
219 cardoe 1.1 <dl class="docutils">
220     <dt>[AHS] NIST (2007). &quot;NIST's Plan for New Cryptographic Hash Functions&quot;,</dt>
221     <dd>(Advanced Hash Standard). <a class="reference external" href="http://csrc.nist.gov/pki/HashWorkshop/">http://csrc.nist.gov/pki/HashWorkshop/</a></dd>
222     <dt>[BOBO06] Boneh, D. and Boyen, X. (2006). &quot;On the Impossibility of</dt>
223     <dd>Efficiently Combining Collision Resistant Hash Functions&quot;; Proceedings
224     of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
225     4117, pp. 570-583. Available online from:
226     <a class="reference external" href="http://crypto.stanford.edu/~dabo/abstracts/hashing.html">http://crypto.stanford.edu/~dabo/abstracts/hashing.html</a></dd>
227     <dt>[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). &quot;On Corrective</dt>
228     <dd>Patterns for the SHA-2 Family&quot;. CRYPTO 2004 Cryptology ePrint Archive,
229     Report 2004/204. Available online from:
230     <a class="reference external" href="http://eprint.iacr.org/2004/207.pdf">http://eprint.iacr.org/2004/207.pdf</a></dd>
231 robbat2 1.2 <dt>[J04] Joux, Antoie. (2004). &quot;Multicollisions in Iterated Hash</dt>
232     <dd>Functions - Application to Cascaded Constructions;&quot; Proceedings of
233     CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science
234     3152, pp. 306-316. Available online from:
235     <a class="reference external" href="http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf">http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf</a></dd>
236 cardoe 1.1 <dt>[K06a] Klima, V. (2006). &quot;Tunnels in Hash Functions: MD5 Collisions</dt>
237     <dd>Within a Minute&quot;. Cryptology ePrint Archive, Report 2006/105.
238     Available online from: <a class="reference external" href="http://eprint.iacr.org/2006/105.pdf">http://eprint.iacr.org/2006/105.pdf</a></dd>
239     <dt>[K06b] Klima, V. (2006). &quot;Note and links to high-speed MD5 collision</dt>
240     <dd>proof of concept tools&quot;. Available online from:
241     <a class="reference external" href="http://cryptography.hyperlink.cz/2006/trick.txt">http://cryptography.hyperlink.cz/2006/trick.txt</a></dd>
242     <dt>[K08] Klima, V. (2008). &quot;On Collisions of Hash Functions Turbo SHA-2&quot;.</dt>
243     <dd>Cryptology ePrint Archive, Report 2008/003. Available online from:
244     <a class="reference external" href="http://eprint.iacr.org/2008/003.pdf">http://eprint.iacr.org/2008/003.pdf</a></dd>
245     <dt>[G07] Gligoroski, D. and Knapskog, S.J. (2007). &quot;Turbo SHA-2&quot;.</dt>
246     <dd>Cryptology ePrint Archive, Report 2007/403. Available online from:
247     <a class="reference external" href="http://eprint.iacr.org/2007/403.pdf">http://eprint.iacr.org/2007/403.pdf</a></dd>
248     <dt>[W04] Wang, X. et al: &quot;Collisions for Hash Functions MD4, MD5,</dt>
249     <dd>HAVAL-128 and RIPEMD&quot;, rump session, CRYPTO 2004, Cryptology ePrint
250     Archive, Report 2004/199, first version (August 16, 2004), second
251     version (August 17, 2004). Available online from:
252     <a class="reference external" href="http://eprint.iacr.org/2004/199.pdf">http://eprint.iacr.org/2004/199.pdf</a></dd>
253     </dl>
254     </div>
255     <div class="section" id="thanks-to">
256 robbat2 1.11 <h1><a class="toc-backref" href="#id14">Thanks to</a></h1>
257 cardoe 1.1 <dl class="docutils">
258     <dt>I'd like to thank the following folks, in no specific order:</dt>
259     <dd><ul class="first last simple">
260     <li>Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
261     and also being stubborn enough in not accepting a partial solution.</li>
262     <li>Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
263     (ferringb): for being knowledgeable about the Portage Manifest2
264     codebase.</li>
265     </ul>
266     </dd>
267     </dl>
268     </div>
269 robbat2 1.11 <div class="section" id="id1">
270     <h1><a class="toc-backref" href="#id15">References</a></h1>
271     <table class="docutils citation" frame="void" id="glep44" rules="none">
272     <colgroup><col class="label" /><col /></colgroup>
273     <tbody valign="top">
274     <tr><td class="label">[GLEP44]</td><td>Mauch, M. (2005) GLEP44 - Manifest2 format.
275     <a class="reference external" href="http://www.gentoo.org/proj/en/glep/glep-0044.html">http://www.gentoo.org/proj/en/glep/glep-0044.html</a></td></tr>
276     </tbody>
277     </table>
278     </div>
279 cardoe 1.1 <div class="section" id="copyright">
280 robbat2 1.11 <h1><a class="toc-backref" href="#id16">Copyright</a></h1>
281 robbat2 1.4 <p>Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be
282 cardoe 1.1 distributed only subject to the terms and conditions set forth in the
283     Open Publication License, v1.0.</p>
284 robbat2 1.11 <!-- vim: tw=72 ts=2 expandtab: -->
285 cardoe 1.1 </div>
287     </div>
288     <div class="footer">
289     <hr class="footer" />
290     <a class="reference external" href="glep-0059.txt">View document source</a>.
291 robbat2 1.11 Generated on: 2010-04-07 21:54 UTC.
292 cardoe 1.1 Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
294     </div>
295     </body>
296     </html>

  ViewVC Help
Powered by ViewVC 1.1.20