1 |
GLEP: 59 |
2 |
Title: Manifest2 hash policies and security implications |
3 |
Version: $Revision: 1.2 $ |
4 |
Last-Modified: $Date: 2008/10/22 17:59:43 $ |
5 |
Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
6 |
Status: Draft |
7 |
Type: Standards Track |
8 |
Content-Type: text/x-rst |
9 |
Requires: 44 |
10 |
Created: October 2006 |
11 |
Updated: November 2007, June 2008, July 2008, October 2008 |
12 |
Updates: 44 |
13 |
Post-History: |
14 |
|
15 |
Abstract |
16 |
======== |
17 |
While Manifest2 format allows multiple hashes, the question of which |
18 |
checksums should be present, why, and the security implications of such |
19 |
have never been resolved. This GLEP covers all of these issues, and |
20 |
makes recommendations as to how to handle checksums both now, and in |
21 |
future. |
22 |
|
23 |
Motivation |
24 |
========== |
25 |
This GLEP is being written as part of the work on signing the Portage |
26 |
tree, but is only tangentially related to the actual signing of |
27 |
Manifests. Checksums present one possible weak point in the overall |
28 |
security of the tree - and a comprehensive security plan is needed. |
29 |
|
30 |
Specification |
31 |
============= |
32 |
The bad news |
33 |
------------ |
34 |
First of all, I'd like to cover the bad news in checksum security. |
35 |
A much discussed point, as been the simple question: What is the |
36 |
security of multiple independent checksums on the same data? |
37 |
The most common position (and indeed the one previously held by myself), |
38 |
is that multiple checksums would be an increase in security, but we |
39 |
could not provably quantify the amount of security this added. |
40 |
The really bad news, is that this position is completely and utterly |
41 |
wrong. Many of you will be aghast at this. There is extremely little |
42 |
added security in multiple checksums [J04]. For any set of checksums, |
43 |
the actual strength lies in that of the strongest checksum. |
44 |
|
45 |
How fast can MD5 be broken? |
46 |
--------------------------- |
47 |
For a general collision, not a pre-image attack, since the original |
48 |
announcement by Wang et al [W04], the time required to break MD5 has |
49 |
been massively reduced. Originally at 1 hour on a near-supercomputer |
50 |
(IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has |
51 |
gone down to less than in two years, to 17 seconds [K06a]! |
52 |
|
53 |
08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours |
54 |
03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours |
55 |
11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours |
56 |
03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours |
57 |
04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours |
58 |
|
59 |
If we accept a factor of 800x as a sample of how much faster a checksum |
60 |
may be broken over the course of 2 years (MD5 using the above data is |
61 |
>2000x), then existing checksums do not stand a significant chance of |
62 |
survival in the future. We should thus accept that whatever checksums we |
63 |
are using today, will be broken in the near future, and plan as best as |
64 |
possible. (A brief review [H04] of the present SHA1 attacks indicates an |
65 |
improvement of ~600x in the same timespan). |
66 |
|
67 |
And for those that claim implementation of these procedures is not yet |
68 |
feasible, see [K06b] for an application that can produce two |
69 |
self-extracting .exe files, with identical MD5s, and whatever payload |
70 |
you want. |
71 |
|
72 |
The good news |
73 |
------------- |
74 |
Of the checksums presently used by Manifest2, one stands close to being |
75 |
completely broken: SHA1. The SHA2 series has suffered some attacks, but |
76 |
still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160 |
77 |
have been published, however it is constructed in the same manner as |
78 |
MD5, SHA1 and SHA2, so is also vulnerable to the new methods of |
79 |
cryptanalysis [H04]. |
80 |
|
81 |
To reduce the potential for future problems and any single checksum |
82 |
break leading to a rapid decrease in security, we should incorporate the |
83 |
strongest hash available from each family of checksums, and be prepared |
84 |
to retire old checksums actively, unless there is a overriding reason to |
85 |
keep a specific checksum. |
86 |
|
87 |
What should be done |
88 |
------------------- |
89 |
Portage should always try to verify all supported hashes that are |
90 |
available in a Manifest2, starting with the strongest ones as maintained |
91 |
by a preference list. Over time, the weaker checksums should be removed |
92 |
from Manifest2 files, once all old Portage installations have had |
93 |
sufficient time to upgrade. We should be prepared to add stronger |
94 |
checksums wherever possible, and to remove those that have been |
95 |
defeated. |
96 |
|
97 |
An unsupported hash is not considered to be a failure unless no |
98 |
supported hashes are available. |
99 |
|
100 |
Checksum depreciation |
101 |
~~~~~~~~~~~~~~~~~~~~~ |
102 |
For the current Portage, SHA1 should be gradually removed, as presents |
103 |
no advantages over SHA256. Beyond one specific problem (see the next |
104 |
paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool |
105 |
checksum (standardized checksum, with no known weaknesses). In future, |
106 |
as stream-based checksums are developed (in response to the development |
107 |
by NIST [AHS]), they should be considered and used. |
108 |
|
109 |
There is one temporary stumbling block at hand - the existing Portage |
110 |
infrastructure does not support SHA384/512 or Whirlpool, thus hampering |
111 |
their immediate acceptance. SHA512 is available in Python 2.5, while |
112 |
SHA1 is already available in Python 2.4. After Python2.5 is established |
113 |
in a Gentoo media release, that would be a suitable time to remove SHA1 |
114 |
from Manifest2 files. |
115 |
|
116 |
Backwards Compatibility |
117 |
======================= |
118 |
Old versions of Portage may support and expect only specific checksums. |
119 |
This is accounted for in the checksum depreciation discussion. |
120 |
|
121 |
References |
122 |
========== |
123 |
|
124 |
[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions", |
125 |
(Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/ |
126 |
|
127 |
[BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of |
128 |
Efficiently Combining Collision Resistant Hash Functions"; Proceedings |
129 |
of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science |
130 |
4117, pp. 570-583. Available online from: |
131 |
http://crypto.stanford.edu/~dabo/abstracts/hashing.html |
132 |
|
133 |
[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective |
134 |
Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive, |
135 |
Report 2004/204. Available online from: |
136 |
http://eprint.iacr.org/2004/207.pdf |
137 |
|
138 |
[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash |
139 |
Functions - Application to Cascaded Constructions;" Proceedings of |
140 |
CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science |
141 |
3152, pp. 306-316. Available online from: |
142 |
http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf |
143 |
|
144 |
[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions |
145 |
Within a Minute". Cryptology ePrint Archive, Report 2006/105. |
146 |
Available online from: http://eprint.iacr.org/2006/105.pdf |
147 |
|
148 |
[K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision |
149 |
proof of concept tools". Available online from: |
150 |
http://cryptography.hyperlink.cz/2006/trick.txt |
151 |
|
152 |
[K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2". |
153 |
Cryptology ePrint Archive, Report 2008/003. Available online from: |
154 |
http://eprint.iacr.org/2008/003.pdf |
155 |
|
156 |
[G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2". |
157 |
Cryptology ePrint Archive, Report 2007/403. Available online from: |
158 |
http://eprint.iacr.org/2007/403.pdf |
159 |
|
160 |
[W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5, |
161 |
HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint |
162 |
Archive, Report 2004/199, first version (August 16, 2004), second |
163 |
version (August 17, 2004). Available online from: |
164 |
http://eprint.iacr.org/2004/199.pdf |
165 |
|
166 |
Thanks to |
167 |
========= |
168 |
I'd like to thank the following folks, in no specific order: |
169 |
- Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper, |
170 |
and also being stubborn enough in not accepting a partial solution. |
171 |
- Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring |
172 |
(ferringb): for being knowledgeable about the Portage Manifest2 |
173 |
codebase. |
174 |
|
175 |
Copyright |
176 |
========= |
177 |
Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
178 |
distributed only subject to the terms and conditions set forth in the |
179 |
Open Publication License, v1.0. |
180 |
|
181 |
vim: tw=72 ts=2 expandtab: |