Contents of /xml/htdocs/proj/en/glep/glep-0059.txt

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.1 - (show annotations) (download)
Tue Oct 21 23:30:47 2008 UTC (9 years, 11 months ago) by cardoe
Branch: MAIN
File MIME type: text/plain
add Robin's tree signing gleps. They still need lots of editing love (some won't glep-ify) but at least they're here and have glep #s reserved

1 GLEP: 59
2 Title: Manifest2 hash policies and security implications
3 Version: $Revision: 1.11 $
4 Last-Modified: $Date: 2008/07/13 02:23:36 $
5 Author: Robin Hugh Johnson <robbat2@gentoo.org>,
6 Status: Draft
7 Type: Standards Track
8 Content-Type: text/x-rst
9 Requires: 44
10 Created: October 2006
11 Updated: November 2007, June 2008, July 2008
12 Updates: 44
14 Abstract
15 ========
16 While Manifest2 format allows multiple hashes, the question of which
17 checksums should be present, why, and the security implications of such
18 have never been resolved. This GLEP covers all of these issues, and
19 makes recommendations as to how to handle checksums both now, and in
20 future.
22 Motivation
23 ==========
24 This GLEP is being written as part of the work on signing the Portage
25 tree, but is only tangentially related to the actual signing of
26 Manifests. Checksums present one possible weak point in the overall
27 security of the tree - and a comprehensive security plan is needed.
29 Specification
30 =============
31 The bad news
32 ------------
33 First of all, I'd like to cover the bad news in checksum security.
34 A much discussed point, as been the simple question: What is the
35 security of multiple independent checksums on the same data?
36 The most common position (and indeed the one previously held by myself),
37 is that multiple checksums would be an increase in security, but we
38 could not provably quantify the amount of security this added.
39 The really bad news, is that this position is completely and utterly
40 wrong. Many of you will be aghast at this. There is extremely little
41 added security in multiple checksums [J04]. For any set of checksums,
42 the actual strength lies in that of the strongest checksum.
44 How fast can MD5 be broken?
45 ---------------------------
46 For a general collision, not a pre-image attack, since the original
47 announcement by Wang et al [W04], the time required to break MD5 has
48 been massively reduced. Originally at 1 hour on a near-supercomputer
49 (IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has
50 gone down to less than in two years, to 17 seconds [K06a]!
52 08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours
53 03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours
54 11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours
55 03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours
56 04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours
58 If we accept a factor of 800x as a sample of how much faster a checksum
59 may be broken over the course of 2 years (MD5 using the above data is
60 >2000x), then existing checksums do not stand a significant chance of
61 survival in the future. We should thus accept that whatever checksums we
62 are using today, will be broken in the near future, and plan as best as
63 possible. (A brief review [H04] of the present SHA1 attacks indicates an
64 improvement of ~600x in the same timespan).
66 And for those that claim implementation of these procedures is not yet
67 feasible, see [K06b] for an application that can produce two
68 self-extracting .exe files, with identical MD5s, and whatever payload
69 you want.
71 The good news
72 -------------
73 Of the checksums presently used by Manifest2, one stands close to being
74 completely broken: SHA1. The SHA2 series has suffered some attacks, but
75 still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160
76 have been published, however it is constructed in the same manner as
77 MD5, SHA1 and SHA2, so is also vulnerable to the new methods of
78 cryptanalysis [H04].
80 To reduce the potential for future problems and any single checksum
81 break leading to a rapid decrease in security, we should incorporate the
82 strongest hash available from each family of checksums, and be prepared
83 to retire old checksums actively, unless there is a overriding reason to
84 keep a specific checksum.
86 What should be done
87 -------------------
88 Portage should always try to verify all supported hashes that are
89 available in a Manifest2, starting with the strongest ones as maintained
90 by a preference list. Over time, the weaker checksums should be removed
91 from Manifest2 files, once all old Portage installations have had
92 sufficient time to upgrade. We should be prepared to add stronger
93 checksums wherever possible, and to remove those that have been
94 defeated.
96 An unsupported hash is not considered to be a failure unless no
97 supported hashes are available.
99 Checksum depreciation
100 ~~~~~~~~~~~~~~~~~~~~~
101 For the current Portage, SHA1 should be gradually removed, as presents
102 no advantages over SHA256. Beyond one specific problem (see the next
103 paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool
104 checksum (standardized checksum, with no known weaknesses). In future,
105 as stream-based checksums are developed (in response to the development
106 by NIST [AHS]), they should be considered and used.
108 There is one temporary stumbling block at hand - the existing Portage
109 infrastructure does not support SHA384/512 or Whirlpool, thus hampering
110 their immediate acceptance. SHA512 is available in Python 2.5, while
111 SHA1 is already available in Python 2.4. After Python2.5 is established
112 in a Gentoo media release, that would be a suitable time to remove SHA1
113 from Manifest2 files.
115 Backwards Compatibility
116 =======================
117 Old versions of Portage may support and expect only specific checksums.
118 This is accounted for in the checksum depreciation discussion.
120 References
121 ==========
123 [AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions",
124 (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/
126 [BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of
127 Efficiently Combining Collision Resistant Hash Functions"; Proceedings
128 of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science
129 4117, pp. 570-583. Available online from:
130 http://crypto.stanford.edu/~dabo/abstracts/hashing.html
132 [H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective
133 Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive,
134 Report 2004/204. Available online from:
135 http://eprint.iacr.org/2004/207.pdf
137 [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash Functions
138 - Application to Cascaded Constructions;" Proceedings of CRYPTO 2004,
139 Franklin, M. (Ed); Lecture Notes in Computer Science 3152, pp.
140 306-316. Available online from:
141 http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf
143 [K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions
144 Within a Minute". Cryptology ePrint Archive, Report 2006/105.
145 Available online from: http://eprint.iacr.org/2006/105.pdf
147 [K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision
148 proof of concept tools". Available online from:
149 http://cryptography.hyperlink.cz/2006/trick.txt
151 [K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2".
152 Cryptology ePrint Archive, Report 2008/003. Available online from:
153 http://eprint.iacr.org/2008/003.pdf
155 [G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2".
156 Cryptology ePrint Archive, Report 2007/403. Available online from:
157 http://eprint.iacr.org/2007/403.pdf
159 [W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5,
160 HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint
161 Archive, Report 2004/199, first version (August 16, 2004), second
162 version (August 17, 2004). Available online from:
163 http://eprint.iacr.org/2004/199.pdf
165 Thanks to
166 =========
167 I'd like to thank the following folks, in no specific order:
168 - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper,
169 and also being stubborn enough in not accepting a partial solution.
170 - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring
171 (ferringb): for being knowledgeable about the Portage Manifest2
172 codebase.
174 Copyright
175 =========
176 Copyright (c) 2006 by Robin Hugh Johnson. This material may be
177 distributed only subject to the terms and conditions set forth in the
178 Open Publication License, v1.0.
180 vim: tw=72 ts=2 expandtab:

  ViewVC Help
Powered by ViewVC 1.1.20