xxx-what-uses-sha1.txt 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247
  1. Filename: xxx-what-uses-sha1.txt
  2. Title: Where does Tor use SHA-1 today?
  3. Authors: Nick Mathewson, Marian
  4. Created: 30-Dec-2008
  5. Status: Meta
  6. Introduction:
  7. Tor uses SHA-1 as a message digest. SHA-1 is showing its age:
  8. theoretical attacks for finding collisions against it get better
  9. every year or two, and it will likely be broken in practice before
  10. too long.
  11. According to smart crypto people, the SHA-2 functions (SHA-256, etc)
  12. share too much of SHA-1's structure to be very good. RIPEMD-160 is
  13. also based on flawed past hashes. Some people think other hash
  14. functions (e.g. Whirlpool and Tiger) are not as bad; most of these
  15. have not seen enough analysis to be used yet.
  16. Here is a 2006 paper about hash algorithms.
  17. http://www.sane.nl/sane2006/program/final-papers/R10.pdf
  18. (Todo: Ask smart crypto people.)
  19. By 2012, the NIST SHA-3 competition will be done, and with luck we'll
  20. have something good to switch too. But it's probably a bad idea to
  21. wait until 2012 to figure out _how_ to migrate to a new hash
  22. function, for two reasons:
  23. 1) It's not inconceivable we'll want to migrate in a hurry
  24. some time before then.
  25. 2) It's likely that migrating to a new hash function will
  26. require protocol changes, and it's easiest to make protocol
  27. changes backward compatible if we lay the groundwork in
  28. advance. It would suck to have to break compatibility with
  29. a big hard-to-test "flag day" protocol change.
  30. This document attempts to list everything Tor uses SHA-1 for today.
  31. This is the first step in getting all the design work done to switch
  32. to something else.
  33. This document SHOULD NOT be a clearinghouse of what to do about our
  34. use of SHA-1. That's better left for other individual proposals.
  35. Why now?
  36. The recent publication of "MD5 considered harmful today: Creating a
  37. rogue CA certificate" by Alexander Sotirov, Marc Stevens, Jacob
  38. Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de
  39. Weger has reminded me that:
  40. * You can't rely on theoretical attacks to stay theoretical.
  41. * It's quite unpleasant when theoretical attacks become practical
  42. and public on days you were planning to leave for vacation.
  43. * Broken hash functions (which SHA-1 is not quite yet AFAIU)
  44. should be dropped like hot potatoes. Failure to do so can make
  45. one look silly.
  46. Triage
  47. How severe are these problems? Let's divide them into these
  48. categories, where H(x) is the SHA-1 hash of x:
  49. PREIMAGE -- find any x such that a H(x) has a chosen value
  50. -- A SHA-1 usage that only depends on preimage
  51. resistance
  52. * Also SECOND PREIMAGE. Given x, find a y not equal to
  53. x such that H(x) = H(y)
  54. COLLISION<role> -- A SHA-1 usage that depends on collision
  55. resistance, but the only party who could mount a
  56. collision-based attack is already in a trusted role
  57. (like a distribution signer or a directory authority).
  58. COLLISION -- find any x and y such that H(x) = H(y) -- A
  59. SHA-1 usage that depends on collision resistance
  60. and doesn't need the attacker to have any special keys.
  61. There is no need to put much effort into fixing PREIMAGE and SECOND
  62. PREIMAGE usages in the near-term: while there have been some
  63. theoretical results doing these attacks against SHA-1, they don't
  64. seem to be close to practical yet. To fix COLLISION<code-signing>
  65. usages is not too important either, since anyone who has the key to
  66. sign the code can mount far worse attacks. It would be good to fix
  67. COLLISION<authority> usages, since we try to resist bad authorities
  68. to a limited extent. The COLLISION usages are the most important
  69. to fix.
  70. Kelsey and Schneier published a theoretical second preimage attack
  71. against SHA-1 in 2005, so it would be a good idea to fix PREIMAGE
  72. and SECOND PREIMAGE usages after fixing COLLISION usages or where fixes
  73. require minimal effort.
  74. http://www.schneier.com/paper-preimages.html
  75. Additionally, we need to consider the impact of a successful attack
  76. in each of these cases. SHA-1 collisions are still expensive even
  77. if recent results are verified, and anybody with the resources to
  78. compute one also has the resources to mount a decent Sybil attack.
  79. Let's be pessimistic, and not assume that producing collisions of
  80. a given format is actually any harder than producing collisions at
  81. all.
  82. What Tor uses hashes for today:
  83. 1. Infrastructure.
  84. A. Our X.509 certificates are signed with SHA-1.
  85. COLLSION
  86. B. TLS uses SHA-1 (and MD5) internally to generate keys.
  87. PREIMAGE?
  88. * At least breaking SHA-1 and MD5 simultaneously is
  89. much more difficult than breaking either
  90. independently.
  91. C. Some of the TLS ciphersuites we allow use SHA-1.
  92. PREIMAGE?
  93. D. When we sign our code with GPG, it might be using SHA-1.
  94. COLLISION<code-signing>
  95. * GPG 1.4 and up have writing support for SHA-2 hashes.
  96. This blog has help for converting:
  97. http://www.schwer.us/journal/2005/02/19/sha-1-broken-and-gnupg-gpg/
  98. E. Our GPG keys might be authenticated with SHA-1.
  99. COLLISION<code-signing-key-signing>
  100. F. OpenSSL's random number generator uses SHA-1, I believe.
  101. PREIMAGE
  102. 2. The Tor protocol
  103. A. Everything we sign, we sign using SHA-1-based OAEP-MGF1.
  104. PREIMAGE?
  105. B. Our CREATE cell format uses SHA-1 for: OAEP padding.
  106. PREIMAGE?
  107. C. Our EXTEND cells use SHA-1 to hash the identity key of the
  108. target server.
  109. COLLISION
  110. D. Our CREATED cells use SHA-1 to hash the derived key data.
  111. ??
  112. E. The data we use in CREATE_FAST cells to generate a key is the
  113. length of a SHA-1.
  114. NONE
  115. F. The data we send back in a CREATED/CREATED_FAST cell is the length
  116. of a SHA-1.
  117. NONE
  118. G. We use SHA-1 to derive our circuit keys from the negotiated g^xy
  119. value.
  120. NONE
  121. H. We use SHA-1 to derive the digest field of each RELAY cell, but that's
  122. used more as a checksum than as a strong digest.
  123. NONE
  124. 3. Directory services
  125. [All are COLLISION or COLLISION<authority> ]
  126. A. All signatures are generated on the SHA-1 of their corresponding
  127. documents, using PKCS1 padding.
  128. * In dir-spec.txt, section 1.3, it states,
  129. "SIGNATURE" Object contains a signature (using the signing key)
  130. of the PKCS1-padded digest of the entire document, taken from
  131. the beginning of the Initial item, through the newline after
  132. the Signature Item's keyword and its arguments."
  133. So our attacker, Malcom, could generate a collision for the hash
  134. that is signed. Thus, a second pre-image attack is possible.
  135. Vulnerable to regular collision attack only if key is stolen.
  136. If the key is stolen, Malcom could distribute two different
  137. copies of the document which have the same hash. Maybe useful
  138. for a partitioning attack?
  139. B. Router descriptors identify their corresponding extra-info documents
  140. by their SHA-1 digest.
  141. * A third party might use a second pre-image attack to generate a
  142. false extra-info document that has the same hash. The router
  143. itself might use a regular collision attack to generate multiple
  144. extra-info documents with the same hash, which might be useful
  145. for a partitioning attack.
  146. C. Fingerprints in router descriptors are taken using SHA-1.
  147. * The fingerprint must match the public key. Not sure what would
  148. happen if two routers had different public keys but the same
  149. fingerprint. There could perhaps be unpredictable behaviour.
  150. D. In router descriptors, routers in the same "Family" may be listed
  151. by server nicknames or hexdigests.
  152. * Does not seem critical.
  153. E. Fingerprints in authority certs are taken using SHA-1.
  154. F. Fingerprints in dir-source lines of votes and consensuses are taken
  155. using SHA-1.
  156. G. Networkstatuses refer to routers identity keys and descriptors by their
  157. SHA-1 digests.
  158. H. Directory-signature lines identify which key is doing the signing by
  159. the SHA-1 digests of the authority's signing key and its identity key.
  160. I. The following items are downloaded by the SHA-1 of their contents:
  161. XXXX list them
  162. J. The following items are downloaded by the SHA-1 of an identity key:
  163. XXXX list them too.
  164. 4. The rendezvous protocol
  165. A. Hidden servers use SHA-1 to establish introduction points on relays,
  166. and relays use SHA-1 to check incoming introduction point
  167. establishment requests.
  168. B. Hidden servers use SHA-1 in multiple places when generating hidden
  169. service descriptors.
  170. * The permanent-id is the first 80 bits of the SHA-1 hash of the
  171. public key
  172. ** time-period performs caclulations using the permanent-id
  173. * The secret-id-part is the SHA-1 has of the time period, the
  174. descriptor-cookie, and replica.
  175. * Hash of introduction point's identity key.
  176. C. Hidden servers performing basic-type client authorization for their
  177. services use SHA-1 when encrypting introduction points contained in
  178. hidden service descriptors.
  179. D. Hidden service directories use SHA-1 to check whether a given hidden
  180. service descriptor may be published under a given descriptor
  181. identifier or not.
  182. E. Hidden servers use SHA-1 to derive .onion addresses of their
  183. services.
  184. * What's worse, it only uses the first 80 bits of the SHA-1 hash.
  185. However, the rend-spec.txt says we aren't worried about arbitrary
  186. collisons?
  187. F. Clients use SHA-1 to generate the current hidden service descriptor
  188. identifiers for a given .onion address.
  189. G. Hidden servers use SHA-1 to remember digests of the first parts of
  190. Diffie-Hellman handshakes contained in introduction requests in order
  191. to detect replays. See the RELAY_ESTABLISH_INTRO cell. We seem to be
  192. taking a hash of a hash here.
  193. H. Hidden servers use SHA-1 during the Diffie-Hellman key exchange with
  194. a connecting client.
  195. 5. The bridge protocol
  196. XXXX write me
  197. A. Client may attempt to query for bridges where he knows a digest
  198. (probably SHA-1) before a direct query.
  199. 6. The Tor user interface
  200. A. We log information about servers based on SHA-1 hashes of their
  201. identity keys.
  202. COLLISION
  203. B. The controller identifies servers based on SHA-1 hashes of their
  204. identity keys.
  205. COLLISION
  206. C. Nearly all of our configuration options that list servers allow SHA-1
  207. hashes of their identity keys.
  208. COLLISION
  209. E. The deprecated .exit notation uses SHA-1 hashes of identity keys
  210. COLLISION