|
@@ -1,8 +1,8 @@
|
|
|
Filename: xxx-what-uses-sha1.txt
|
|
|
Title: Where does Tor use SHA-1 today?
|
|
|
Version: $Revision$
|
|
|
-Last-Modified: $Date$
|
|
|
-Author: Nick Mathewson
|
|
|
+Last-Modified: 1-May-2009
|
|
|
+Authors: Nick Mathewson, Marian
|
|
|
Created: 30-Dec-2008
|
|
|
Status: Meta
|
|
|
|
|
@@ -15,9 +15,15 @@ Introduction:
|
|
|
too long.
|
|
|
|
|
|
According to smart crypto people, the SHA-2 functions (SHA-256, etc)
|
|
|
- share too much of SHA-1's structure to be very good. Some people
|
|
|
- like other hash functions; most of these have not seen enough
|
|
|
- analysis to be widely regarded as an extra-good idea.
|
|
|
+ share too much of SHA-1's structure to be very good. RIPEMD-160 is
|
|
|
+ also based on flawed past hashes. Some people think other hash
|
|
|
+ functions (e.g. Whirlpool and Tiger) are not as bad; most of these
|
|
|
+ have not seen enough analysis to be used yet.
|
|
|
+
|
|
|
+ Here is a 2006 paper about hash algorithms.
|
|
|
+ http://www.sane.nl/sane2006/program/final-papers/R10.pdf
|
|
|
+
|
|
|
+ (Todo: Ask smart crypto people.)
|
|
|
|
|
|
By 2012, the NIST SHA-3 competition will be done, and with luck we'll
|
|
|
have something good to switch too. But it's probably a bad idea to
|
|
@@ -85,19 +91,41 @@ What Tor uses hashes for today:
|
|
|
|
|
|
A. All signatures are generated on the SHA-1 of their corresponding
|
|
|
documents, using PKCS1 padding.
|
|
|
+ * In dir-spec.txt, section 1.3, it states,
|
|
|
+ "SIGNATURE" Object contains a signature (using the signing key)
|
|
|
+ of the PKCS1-padded digest of the entire document, taken from
|
|
|
+ the beginning of the Initial item, through the newline after
|
|
|
+ the Signature Item's keyword and its arguments."
|
|
|
+ So our attacker, Malcom, could generate a collision for the hash
|
|
|
+ that is signed. Thus, a second pre-image attack is possible.
|
|
|
+ Vulnerable to regular collision attack only if key is stolen.
|
|
|
+ If the key is stolen, Malcom could distribute two different
|
|
|
+ copies of the document which have the same hash. Maybe useful
|
|
|
+ for a partitioning attack?
|
|
|
B. Router descriptors identify their corresponding extra-info documents
|
|
|
by their SHA-1 digest.
|
|
|
+ * A third party might use a second pre-image attack to generate a
|
|
|
+ false extra-info document that has the same hash. The router
|
|
|
+ itself might use a regular collision attack to generate multiple
|
|
|
+ extra-info documents with the same hash, which might be useful
|
|
|
+ for a partitioning attack.
|
|
|
C. Fingerprints in router descriptors are taken using SHA-1.
|
|
|
- D. Fingerprints in authority certs are taken using SHA-1.
|
|
|
- E. Fingerprints in dir-source lines of votes and consensuses are taken
|
|
|
+ * The fingerprint must match the public key. Not sure what would
|
|
|
+ happen if two routers had different public keys but the same
|
|
|
+ fingerprint. There could perhaps be unpredictable behaviour.
|
|
|
+ D. In router descriptors, routers in the same "Family" may be listed
|
|
|
+ by server nicknames or hexdigests.
|
|
|
+ * Does not seem critical.
|
|
|
+ E. Fingerprints in authority certs are taken using SHA-1.
|
|
|
+ F. Fingerprints in dir-source lines of votes and consensuses are taken
|
|
|
using SHA-1.
|
|
|
- F. Networkstatuses refer to routers identity keys and descriptors by their
|
|
|
+ G. Networkstatuses refer to routers identity keys and descriptors by their
|
|
|
SHA-1 digests.
|
|
|
- G. Directory-signature lines identify which key is doing the signing by
|
|
|
+ H. Directory-signature lines identify which key is doing the signing by
|
|
|
the SHA-1 digests of the authority's signing key and its identity key.
|
|
|
- H. The following items are downloaded by the SHA-1 of their contents:
|
|
|
+ I. The following items are downloaded by the SHA-1 of their contents:
|
|
|
XXXX list them
|
|
|
- I. The following items are downloaded by the SHA-1 of an identity key:
|
|
|
+ J. The following items are downloaded by the SHA-1 of an identity key:
|
|
|
XXXX list them too.
|
|
|
|
|
|
4. The rendezvous protocol
|
|
@@ -137,4 +165,3 @@ What Tor uses hashes for today:
|
|
|
hashes of their identity keys.
|
|
|
E. The deprecated .exit notation uses SHA-1 hashes of identity keys
|
|
|
|
|
|
-
|