From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2E4811396D9 for ; Wed, 15 Nov 2017 21:02:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6B895E0F36; Wed, 15 Nov 2017 21:02:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0DA2CE0F2A for ; Wed, 15 Nov 2017 21:02:10 +0000 (UTC) Received: from grubbs.orbis-terrarum.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3B79B341646 for ; Wed, 15 Nov 2017 21:02:09 +0000 (UTC) Received: (qmail 31184 invoked by uid 10000); 15 Nov 2017 21:02:07 -0000 Date: Wed, 15 Nov 2017 21:02:07 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] Manifest2 hashes: validation of single hash per MANIFESTx_REQUIRED_HASH Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jy6Sn24JjFx/iggw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.2 (2017-04-18) X-Archives-Salt: 0d765882-adbf-4aab-8b8c-2a3cbcb73964 X-Archives-Hash: 854ab36a2fe45886eaac15d27811361e --jy6Sn24JjFx/iggw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Replying to your original question here, to repeat the answer I emphasised before, along with significantly more detail in the history of Portage hash= es (pulled from my notes back to GLEP57 and some minor updates). On Wed, Nov 08, 2017 at 12:57:49PM -0600, R0b0t1 wrote: > These posts are concerning because it looks like someone became stir > crazy and invented a problem to solve. The changes proposed to date > have remained poorly justified, and no one has addressed the concern > that multiple hashes *is* actually more secure. >=20 > If it was deemed necessary at one point, what justification was used? > I.e. https://en.wikipedia.org/wiki/Wikipedia:Chesterton's_fence. On Wed, Nov 15, 2017 at 11:47:41AM -0600, R0b0t1 wrote: > Does the existence of a decision mean I would need to contact the trustees > if I feel the changes have not been adequately justified? In GLEP59, I referenced a paper by Joux [J04], in which it was shown that a concatenation of multiple hashes is NOT much more secure against collisions than the strongest of the individual hashes. That was cited as original logic in GLEP59 for the removal of SHA256 (that removal was never implemented). WHIRLPOOL & SHA512 were kept out of an abundance of caution at the time, mostly to implementation bugs in hashes (= as I have referenced in the related threads since). Your logic regarding removing something you think I don't understand is wro= ng (Chesterton's Fence):=20 If you dig in the history of Portage, you will see that it's always been va= lid, to have just a SINGLE hash for each file in a Manifest. Required hashes has NEVER contained more than one hash. If multiple hashes are present, then Portage will validate all of them, but= a potential attacker can still modify the Manifest and have only a single hash listed. Exactly which hash MUST be present has changed over time.=20 Manifest1 is very old, and was stored in $CAT/$PN/files/digest-$P Manifest2 is the current $CAT/$PN/Manifest (and soon in more locations per = MetaManifest). 1999/xx/xx: Portage starts with Manifest1 format, MD5-only (CVS) 2004/08/25: Portage gets SHA1 support in Manifest1, but is problematic, SHA= 1 generation manual only. https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-src/portage/pym/portag= e_checksum.py?revision=3D1.1&view=3Dmarkup https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-src/portage/pym/portag= e.py?r1=3D1.485&r2=3D1.486 2005/12/19: Portage Manifest1 supports MD5,SHA1,SHA256,RMD160, but still re= quires only a single hash present. Generates MD5+SHA256+RMD160. https://gitweb.gentoo.org/proj/portage.git/commit/?id=3Dcd3e3775966a9f58aeb= b91f58cbdb5903faad3de 2006/03/24: Manifest2 introduced. https://gitweb.gentoo.org/proj/portage.git/commit/?id=3Df993747ca501e8a70d6= f6174711149a172cfc3c2 2007/01/20: MANIFEST2_REQUIRED_HASH introduced, SHA1, it must be present & = pass https://gitweb.gentoo.org/proj/portage.git/commit/?id=3De768571187d1655fbb5= 58c23d61fa2983e48e411 2007/12/18: MANIFEST1_REQUIRED_HASH introduced, MD5, it must be present & p= ass https://gitweb.gentoo.org/proj/portage.git/commit/?id=3Dd9b10deaa03ce174d5c= cc3b59c477549ad87e884 2008/02/28: Manifest1 support dropped. https://gitweb.gentoo.org/proj/portage.git/commit/?id=3D66940e1f2f0549ee8f0= 1dad59016e168105e193d 2011/10/02: GLEP59 implemented, MANIFEST2_REQUIRED_HASH changes to SHA256 https://gitweb.gentoo.org/proj/portage.git/commit/?id=3Dc8cd3a985cc52929941= 1d7343a11004b7d1330ef 2017/06/15: MANIFEST2_REQUIRED_HASH changes to SHA512 https://gitweb.gentoo.org/proj/portage.git/commit/?id=3De6abcc0b7cbdca48186= 2a5c7cca946c01c471ffb [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash Functions - A= pplication to Cascaded Constructions;"=20 Proceedings of CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Sc= ience 3152, pp. 306-316.=20 Available online from: http://web.cecs.pdx.edu/~teshrim/spring06/papers/gen= eral-attacks/multi-joux.pdf --=20 Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer E-Mail : robbat2@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 --jy6Sn24JjFx/iggw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iQKTBAEBCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAloMq05fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI JsQijQ/8DLz1z71Iyhd+UhH4Qvx6mU/Uy6PiBBgeu9ad4otdubNpEmH3cH94RdU0 DxTSvAbX4uqhRvziazhKrPNX8HCiQqqjc6LwLI8DsuQ3O7u4FanUPWA1CpVP5eMd XXVlhDtMhoWIyTJfzIADtIYN0d0Z4oHrTpsVzSgyD84wkqK7d6hMTCCYgcqudYwX I3ILh863E4kj7ev0c49umRYpPhJl/TGmXWz4hoetnfVGshKQQH1IDo28eqxSO3Lf Xqfrtd95oUJgCfDTej92OZdJguCnDk0BLOVAD5mkLcvxtjk3Ote/Ka0gLYMsd1aE CIqSWlH8ZtIdcEtdINBnoPsDRlZsrDDr5/1vmGMRQdD1sGxdNPdlxXCUJoxcUHBn CCqNwEoTwge9aGI3T47AOIJ8/7sge2B8ubOPR459I+PhS64Pvoa6W2vMuUD6dJna R9UrCWdGNzQJI6gtvjXTmWSgdfSy0rJ0iq4Zw8Iw/t5YF1yseBJCrObynCDS1bHq 6cKNlTeO4DkTEfkYVdnmCut2L9JD+P7MUQE0XNEKQx8YPO0n8w247QfFY8qzY30v Gs6GcKI97ifxIAahdAh/bREIcihl+lfJ3jdi8LXg7L1SofXGoArPwu2fwqMBaep2 yS/Bnul1mBBnWR20OrpvPasdS4Z8u3ZUmAlC91SEc6DBVnIyJ4A= =aPsj -----END PGP SIGNATURE----- --jy6Sn24JjFx/iggw--