From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NbWYg-0006yt-Nf for garchives@archives.gentoo.org; Sun, 31 Jan 2010 09:57:35 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E1689E0994; Sun, 31 Jan 2010 09:57:08 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 8FEE3E0994 for ; Sun, 31 Jan 2010 09:57:08 +0000 (UTC) Received: from mail.isohunt.com (b01.ext.isohunt.com [208.71.112.51]) by smtp.gentoo.org (Postfix) with ESMTP id CB2F41B4003 for ; Sun, 31 Jan 2010 09:57:07 +0000 (UTC) Received: (qmail 4090 invoked from network); 31 Jan 2010 09:57:04 -0000 Received: from tsi-static.orbis-terrarum.net (HELO grubbs.orbis-terrarum.net) (76.10.188.108) by mail.isohunt.com (qpsmtpd/0.33-dev on beta01) with (CAMELLIA256-SHA encrypted) ESMTPS; Sun, 31 Jan 2010 09:57:04 +0000 Received: (qmail 6517 invoked by uid 10000); 31 Jan 2010 09:57:02 -0000 Date: Sun, 31 Jan 2010 09:57:02 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] GLEP59 - Manifest2 hashes Message-ID: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KuLpqunXa7jZSBt+" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-Archives-Salt: 6d26aac8-e8b0-4310-b8d2-e30bddd1b2df X-Archives-Hash: e2cd8b70b0d7d8a6fa24d28e339f8663 --KuLpqunXa7jZSBt+ Content-Type: multipart/mixed; boundary="bjuZg6miEcdLYP6q" Content-Disposition: inline --bjuZg6miEcdLYP6q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Changes: - This GLEP should be considered regardless of GLEP58 passes, as it has independent value. - Python 2.5 is widely deployed now (and a dep on newer versions of Portage), so SHA512 is easily available. - RIPEMD160 was broken, so drop it as well. - Add WHIRLPOOL algorithm as it's not vulnerable to the same decomposition analysis introduced by Wang et al. - Add more detail to the migration plan. --=20 Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 --bjuZg6miEcdLYP6q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename="glep-0059.txt" Content-Transfer-Encoding: quoted-printable GLEP: 59 Title: Manifest2 hash policies and security implications Version: $Revision: 1.6 $ Last-Modified: $Date: 2010/01/31 09:55:43 $ Author: Robin Hugh Johnson ,=20 Status: Draft Type: Standards Track Content-Type: text/x-rst Requires: 44 Created: October 2006 Updated: November 2007, June 2008, July 2008, October 2008, January 2010 Updates: 44 Post-History: December 2009, January 2010 Abstract =3D=3D=3D=3D=3D=3D=3D=3D While Manifest2 format allows multiple hashes, the question of which checksums should be present, why, and the security implications of such have never been resolved. This GLEP covers all of these issues, and makes recommendations as to how to handle checksums both now, and in future. Motivation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLEP is being written as part of the work on signing the Portage tree, but is only tangentially related to the actual signing of Manifests. Checksums present one possible weak point in the overall security of the tree - and a comprehensive security plan is needed. This GLEP is not mandatory for the tree-signing specification, but instead aims to improve the security of the hashes used in Manifest2. As such, it is also able to stand on it's own. Specification =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The bad news ------------ First of all, I'd like to cover the bad news in checksum security. A much discussed point, as been the simple question: What is the security of multiple independent checksums on the same data? The most common position (and indeed the one previously held by myself), is that multiple checksums would be an increase in security, but we could not provably quantify the amount of security this added. The really bad news, is that this position is completely and utterly wrong. Many of you will be aghast at this. There is extremely little added security in multiple checksums as noted by Joux [J04]. For any set of checksums, the actual strength lies in that of the strongest checksum. Wang et al [W04] extended Joux's [J04] work on SHA-0 to cover MD4, MD5, HAVAL-128 and RIPEMD families of hashes. How fast can MD5 be broken? --------------------------- For a general collision, not a pre-image attack, since the announcement by Wang et al [W04], the time required to break MD5 has been massively reduced. Originally at 1 hour on a near-supercomputer (IBM P690) and estimated at 64 hours with a Pentium-3 1.7Ghz. This has gone down to less than in two years, to 17 seconds [K06a]. 08/2004 - 1 hour, IBM pSeries 690 (32x 1.7Ghz POWER4+) =3D 54.4 GHz-Hours 03/2005 - 8 hours, Pentium-M 1.6Ghz =3D 12.8 Ghz-Hours 11/2005 - 5 hours, Pentium-4 1.7Ghz =3D 8.5 Ghz-Hours 03/2006 - 1 minute, Pentium-4 3.2Ghz =3D .05 Ghz-Hours 04/2006 - 17 seconds, Pentium-4 3.2Ghz =3D .01 Ghz-Hours If we accept a factor of 800x as a sample of how much faster a checksum may be broken over the course of 2 years (MD5 using the above data is >2000x), then existing checksums do not stand a significant chance of survival in the future. We should thus accept that whatever checksums we are using today, will be broken in the near future, and plan as best as possible. (A brief review [H04] of the SHA1 attacks indicates an improvement of ~600x in the same timespan). And for those that claim implementation of these procedures is not yet feasible, see [K06b] for an application that can produce two self-extracting EXE files, with identical MD5s, and whatever payload you want. The good news ------------- Of the checksums presently used by Manifest2 (SHA1, SHA256, RIPEMD160), one stands close to being completely broken: SHA1; and another is significantly weakened: RIPEMD160. The SHA2 series has suffered some attacks, but still remains reasonably solid [G07],[K08].=20 To reduce the potential for future problems and any single checksum break leading to a rapid decrease in security, we should incorporate the strongest hash available from each family of checksums, and be prepared to retire old checksums actively, unless there is a overriding reason to keep a specific checksum, such as part of a migration plan. What should be done ------------------- Portage should always try to verify all supported hashes that are available in a Manifest2, starting with the strongest ones as maintained by a preference list. Over time, the weaker checksums should be removed =66rom Manifest2 files, once all old Portage installations have had sufficient time to upgrade. We should be prepared to add stronger checksums wherever possible, and to remove those that have been defeated. As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms. In future, as stream-based checksums are developed (in response to the development by NIST [AHS]), they should be considered and used. The SHA512 algorithm is available in Python 2.5, which has been a dependency of Portage since approximately Python 2.1.6.13. The WHIRLPOOL checksum is not available within the PyCrypto library or hashlib that is part of Python 2.5, but there are multiple alternative Python implementations available, ranging from pure Python to C-based (python-mhash). The existence unsupported hash is not considered to be a failure unless no supported hashes are available for a given Manifest entry. Checksum depreciation timing ---------------------------- For the current Portage, both SHA1 and RIPEMD160 should be immediately removed, as they present no advantages over the already present SHA256. SHA256 cannot be replaced immediately with SHA512, as existing Portage versions need at least one supported algorithm present (SHA256 support was added in June 2006), so it must be retained for some while. Immediately: - Add WHIRLPOOL and SHA512. - Remove SHA1 and RIPEMD160. After the majority of Portage installations include SHA512 support: - Remove SHA256. Backwards Compatibility =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Old versions of Portage may support and expect only specific checksums. This is accounted for in the checksum depreciation discussion. References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [AHS] NIST (2007). "NIST's Plan for New Cryptographic Hash Functions", (Advanced Hash Standard). http://csrc.nist.gov/pki/HashWorkshop/ [BOBO06] Boneh, D. and Boyen, X. (2006). "On the Impossibility of Efficiently Combining Collision Resistant Hash Functions"; Proceedings of CRYPTO 2006, Dwork, C. (Ed.); Lecture Notes in Computer Science 4117, pp. 570-583. Available online from: http://crypto.stanford.edu/~dabo/abstracts/hashing.html [H04] Hawkes, P. and Paddon, M. and Rose, G. (2004). "On Corrective Patterns for the SHA-2 Family". CRYPTO 2004 Cryptology ePrint Archive, Report 2004/204. Available online from: http://eprint.iacr.org/2004/207.pdf [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash=20 Functions - Application to Cascaded Constructions;" Proceedings of CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science 3152, pp. 306-316. Available online from: http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-jo= ux.pdf [K06a] Klima, V. (2006). "Tunnels in Hash Functions: MD5 Collisions Within a Minute". Cryptology ePrint Archive, Report 2006/105. Available online from: http://eprint.iacr.org/2006/105.pdf [K06b] Klima, V. (2006). "Note and links to high-speed MD5 collision proof of concept tools". Available online from: http://cryptography.hyperlink.cz/2006/trick.txt [K08] Klima, V. (2008). "On Collisions of Hash Functions Turbo SHA-2". Cryptology ePrint Archive, Report 2008/003. Available online from: http://eprint.iacr.org/2008/003.pdf [G07] Gligoroski, D. and Knapskog, S.J. (2007). "Turbo SHA-2". Cryptology ePrint Archive, Report 2007/403. Available online from: http://eprint.iacr.org/2007/403.pdf [W04] Wang, X. et al: "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint Archive, Report 2004/199, first version (August 16, 2004), second version (August 17, 2004). Available online from: http://eprint.iacr.org/2004/199.pdf Thanks to =3D=3D=3D=3D=3D=3D=3D=3D=3D I'd like to thank the following folks, in no specific order: - Ciaran McCreesh (ciaranm) - for pointing out the Joux (2004) paper, and also being stubborn enough in not accepting a partial solution. - Marius Mauch (genone), Zac Medico (zmedico) and Brian Harring (ferringb): for being knowledgeable about the Portage Manifest2 codebase. Copyright =3D=3D=3D=3D=3D=3D=3D=3D=3D Copyright (c) 2006-2010 by Robin Hugh Johnson. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0. vim: tw=3D72 ts=3D2 expandtab: --bjuZg6miEcdLYP6q-- --KuLpqunXa7jZSBt+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iEYEARECAAYFAktlU+0ACgkQPpIsIjIzwixRfQCeN3kV7iIRfI6yMRMDuZabVohA 4i0An3CWu3m6Ee2D8QJxS5ajw2oCYQdq =0iLM -----END PGP SIGNATURE----- --KuLpqunXa7jZSBt+--