| 1 |
GLEP: 59 |
| 2 |
Title: Manifest2 hash policies and security implications |
| 3 |
Version: $Revision: 1.2 $ |
| 4 |
Last-Modified: $Date: 2008/10/22 17:59:43 $ |
| 5 |
Author: Robin Hugh Johnson <robbat2@gentoo.org>, |
| 6 |
Status: Draft |
| 7 |
Type: Standards Track |
| 8 |
Content-Type: text/x-rst |
| 9 |
Requires: 44 |
| 10 |
Created: October 2006 |
| 11 |
Updated: November 2007, June 2008, July 2008, October 2008 |
| 12 |
Updates: 44 |
| 13 |
Post-History: |
| 14 |
|
| 15 |
Abstract |
| 16 |
======== |
| 17 |
While Manifest2 format allows multiple hashes, the question of which |
| 18 |
checksums should be present, why, and the security implications of such |
| 19 |
have never been resolved. This GLEP covers all of these issues, and |
| 20 |
makes recommendations as to how to handle checksums both now, and in |
| 21 |
future. |
| 22 |
|
| 23 |
Motivation |
| 24 |
========== |
| 25 |
This GLEP is being written as part of the work on signing the Portage |
| 26 |
tree, but is only tangentially related to the actual signing of |
| 27 |
Manifests. Checksums present one possible weak point in the overall |
| 28 |
security of the tree - and a comprehensive security plan is needed. |
| 29 |
|
| 30 |
Specification |
| 31 |
============= |
| 32 |
The bad news |
| 33 |
------------ |
| 34 |
First of all, I'd like to cover the bad news in checksum security. |
| 35 |
A much discussed point, as been the simple question: What is the |
| 36 |
security of multiple independent checksums on the same data? |
| 37 |
The most common position (and indeed the one previously held by myself), |
| 38 |
is that multiple checksums would be an increase in security, but we |
| 39 |
could not provably quantify the amount of security this added. |
| 40 |
The really bad news, is that this position is completely and utterly |
| 41 |
wrong. Many of you will be aghast at this. There is extremely little |
| 42 |
added security in multiple checksums [J04]. For any set of checksums, |
| 43 |
the actual strength lies in that of the strongest checksum. |
| 44 |
|
| 45 |
How fast can MD5 be broken? |
| 46 |
--------------------------- |
| 47 |
For a general collision, not a pre-image attack, since the original |
| 48 |
announcement by Wang et al [W04], the time required to break MD5 has |
| 49 |
been massively reduced. Originally at 1 hour on a near-supercomputer |
| 50 |
(IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has |
| 51 |
gone down to less than in two years, to 17 seconds [K06a]! |
| 52 |
|
| 53 |
08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) = 54.4 GHz-Hours |
| 54 |
03/2005 - 8 hours, Pentium-M 1.6Ghz = 12.8 Ghz-Hours |
| 55 |
11/2005 - 5 hours, Pentium-4 1.7Ghz = 8.5 Ghz-Hours |
| 56 |
03/2006 - 1 minute, Pentium-4 3.2Ghz = .05 Ghz-Hours |
| 57 |
04/2006 - 17 seconds, Pentium-4 3.2Ghz = .01 Ghz-Hours |
| 58 |
|
| 59 |
If we accept a factor of 800x as a sample of how much faster a checksum |
| 60 |
may be broken over the course of 2 years (MD5 using the above data is |
| 61 |
>2000x), then existing checksums do not stand a significant chance of |
| 62 |
survival in the future. We should thus accept that whatever checksums we |
| 63 |
are using today, will be broken in the near future, and plan as best as |
| 64 |
possible. (A brief review [H04] of the present SHA1 attacks indicates an |
| 65 |
improvement of ~600x in the same timespan). |
| 66 |
|
| 67 |
And for those that claim implementation of these procedures is not yet |
| 68 |
feasible, see [K06b] for an application that can produce two |
| 69 |
self-extracting .exe files, with identical MD5s, and whatever payload |
| 70 |
you want. |
| 71 |
|
| 72 |
The good news |
| 73 |
------------- |
| 74 |
Of the checksums presently used by Manifest2, one stands close to being |
| 75 |
completely broken: SHA1. The SHA2 series has suffered some attacks, but |
| 76 |
still remains reasonably solid [G07],[K08]. No attacks against RIPEMD160 |
| 77 |
have been published, however it is constructed in the same manner as |
| 78 |
MD5, SHA1 and SHA2, so is also vulnerable to the new methods of |
| 79 |
cryptanalysis [H04]. |
| 80 |
|
| 81 |
To reduce the potential for future problems and any single checksum |
| 82 |
break leading to a rapid decrease in security, we should incorporate the |
| 83 |
strongest hash available from each family of checksums, and be prepared |
| 84 |
to retire old checksums actively, unless there is a overriding reason to |
| 85 |
keep a specific checksum. |
| 86 |
|
| 87 |
What should be done |
| 88 |
------------------- |
| 89 |
Portage should always try to verify all supported hashes that are |
| 90 |
available in a Manifest2, starting with the strongest ones as maintained |
| 91 |
by a preference list. Over time, the weaker checksums should be removed |
| 92 |
from Manifest2 files, once all old Portage installations have had |
| 93 |
sufficient time to upgrade. We should be prepared to add stronger |
| 94 |
checksums wherever possible, and to remove those that have been |
| 95 |
defeated. |
| 96 |
|
| 97 |
An unsupported hash is not considered to be a failure unless no |
| 98 |
supported hashes are available. |
| 99 |
|
| 100 |
Checksum depreciation |
| 101 |
~~~~~~~~~~~~~~~~~~~~~ |
| 102 |
For the current Portage, SHA1 should be gradually removed, as presents |
| 103 |
no advantages over SHA256. Beyond one specific problem (see the next |
| 104 |
paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool |
| 105 |
checksum (standardized checksum, with no known weaknesses). In future, |
| 106 |
as stream-based checksums are developed (in response to the development |
| 107 |
by NIST [AHS]), they should be considered and used. |
| 108 |
|
| 109 |
There is one temporary stumbling block at hand - the existing Portage |
| 110 |
infrastructure does not support SHA384/512 or Whirlpool, thus hampering |
| 111 |
their immediate acceptance. SHA512 is available in Python 2.5, while |
| 112 |
SHA1 is already available in Python 2.4. After Python2.5 is established |
| 113 |
in a Gentoo media release, that would be a suitable time to remove SHA1 |
| 114 |
from Manifest2 files. |
| 115 |
|
| 116 |
Backwards Compatibility |
| 117 |
======================= |
| 118 |
Old versions of Portage may support and expect only specific checksums. |
| 119 |
This is accounted for in the checksum depreciation discussion. |
| 120 |
|
| 121 |
References |
| 122 |
========== |
| 123 |
|
| 124 |
[AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions", |
| 125 |
(Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/ |
| 126 |
|
| 127 |
[BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of |
| 128 |
Efficiently Combining Collision Resistant Hash Functions"; Proceedings |
| 129 |
of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science |
| 130 |
4117, pp. 570-583. Available online from: |
| 131 |
http://crypto.stanford.edu/~dabo/abstracts/hashing.html |
| 132 |
|
| 133 |
[H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective |
| 134 |
Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive, |
| 135 |
Report 2004/204. Available online from: |
| 136 |
http://eprint.iacr.org/2004/207.pdf |
| 137 |
|
| 138 |
[J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash |
| 139 |
Functions - Application to Cascaded Constructions;" Proceedings of |
| 140 |
CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science |
| 141 |
3152, pp. 306-316. Available online from: |
| 142 |
http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf |
| 143 |
|
| 144 |
[K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions |
| 145 |
Within a Minute". Cryptology ePrint Archive, Report 2006/105. |
| 146 |
Available online from: http://eprint.iacr.org/2006/105.pdf |
| 147 |
|
| 148 |
[K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision |
| 149 |
proof of concept tools". Available online from: |
| 150 |
http://cryptography.hyperlink.cz/2006/trick.txt |
| 151 |
|
| 152 |
[K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2". |
| 153 |
Cryptology ePrint Archive, Report 2008/003. Available online from: |
| 154 |
http://eprint.iacr.org/2008/003.pdf |
| 155 |
|
| 156 |
[G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2". |
| 157 |
Cryptology ePrint Archive, Report 2007/403. Available online from: |
| 158 |
http://eprint.iacr.org/2007/403.pdf |
| 159 |
|
| 160 |
[W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5, |
| 161 |
HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint |
| 162 |
Archive, Report 2004/199, first version (August 16, 2004), second |
| 163 |
version (August 17, 2004). Available online from: |
| 164 |
http://eprint.iacr.org/2004/199.pdf |
| 165 |
|
| 166 |
Thanks to |
| 167 |
========= |
| 168 |
I'd like to thank the following folks, in no specific order: |
| 169 |
- Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper, |
| 170 |
and also being stubborn enough in not accepting a partial solution. |
| 171 |
- Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring |
| 172 |
(ferringb): for being knowledgeable about the Portage Manifest2 |
| 173 |
codebase. |
| 174 |
|
| 175 |
Copyright |
| 176 |
========= |
| 177 |
Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
| 178 |
distributed only subject to the terms and conditions set forth in the |
| 179 |
Open Publication License, v1.0. |
| 180 |
|
| 181 |
vim: tw=72 ts=2 expandtab: |
Parent Directory
| 
Revision Log