xxx-what-uses-sha1.txt 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
  1. Filename: xxx-what-uses-sha1.txt
  2. Title: Where does Tor use SHA-1 today?
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Nick Mathewson
  6. Created: 30-Dec-2008
  7. Status: Meta
  8. Introduction:
  9. Tor uses SHA-1 as a message digest. SHA-1 is showing its age:
  10. theoretical attacks for finding collisions against it get better
  11. every year or two, and it will likely be broken in practice before
  12. too long.
  13. According to smart crypto people, the SHA-2 functions (SHA-256, etc)
  14. share too much of SHA-1's structure to be very good. Some people
  15. like other hash functions; most of these have not seen enough
  16. analysis to be widely regarded as an extra-good idea.
  17. By 2012, the NIST SHA-3 competition will be done, and with luck we'll
  18. have something good to switch too. But it's probably a bad idea to
  19. wait until 2012 to figure out _how_ to migrate to a new hash
  20. function, for two reasons:
  21. 1) It's not inconceivable we'll want to migrate in a hurry
  22. some time before then.
  23. 2) It's likely that migrating to a new hash function will
  24. require protocol changes, and it's easiest to make protocol
  25. changes backward compatible if we lay the groundwork in
  26. advance. It would suck to have to break compatibility with
  27. a big hard-to-test "flag day" protocol change.
  28. This document attempts to list everything Tor uses SHA-1 for today.
  29. This is the first step in getting all the design work done to switch
  30. to something else.
  31. This document SHOULD NOT be a clearinghouse of what to do about our
  32. use of SHA-1. That's better left for other individual proposals.
  33. Why now?
  34. The recent publication of "MD5 considered harmful today: Creating a
  35. rogue CA certificate" by Alexander Sotirov, Marc Stevens, Jacob
  36. Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de
  37. Weger has reminded me that:
  38. * You can't rely on theoretical attacks to stay theoretical.
  39. * It's quite unpleasant when theoretical attacks become practical
  40. and public on days you were planning to leave for vacation.
  41. * Broken hash functions (which SHA-1 is not quite yet AFAIU)
  42. should be dropped like hot potatoes. Failure to do so can make
  43. one look silly.
  44. What Tor uses hashes for today:
  45. 1. Infrastructure.
  46. A. Our X.509 certificates are signed with SHA-1.
  47. B. TLS uses SHA-1 (and MD5) internally to generate keys.
  48. C. Some of the TLS ciphersuites we allow use SHA-1.
  49. D. When we sign our code with GPG, it might be using SHA-1.
  50. E. Our GPG keys might be authenticated with SHA-1.
  51. F. OpenSSL's random number generator uses SHA-1, I believe.
  52. 2. The Tor protocol
  53. A. Everything we sign, we sign using SHA-1-based OAEP-MGF1.
  54. B. Our CREATE cell format uses SHA-1 for: OAEP padding.
  55. C. Our EXTEND cells use SHA-1 to hash the identity key of the
  56. target server.
  57. D. Our CREATED cells use SHA-1 to hash the derived key data.
  58. E. The data we use in CREATE_FAST cells to generate a key is the
  59. length of a SHA-1.
  60. F. The data we send back in a CREATED/CREATED_FAST cell is the length
  61. of a SHA-1.
  62. G. We use SHA-1 to derive our circuit keys from the negotiated g^xy value.
  63. H. We use SHA-1 to derive the digest field of each RELAY cell, but that's
  64. used more as a checksum than as a strong digest.
  65. 3. Directory services
  66. A. All signatures are generated on the SHA-1 of their corresponding
  67. documents, using PKCS1 padding.
  68. B. Router descriptors identify their corresponding extra-info documents
  69. by their SHA-1 digest.
  70. C. Fingerprints in router descriptors are taken using SHA-1.
  71. D. Fingerprints in authority certs are taken using SHA-1.
  72. E. Fingerprints in dir-source lines of votes and consensuses are taken
  73. using SHA-1.
  74. F. Networkstatuses refer to routers identity keys and descriptors by their
  75. SHA-1 digests.
  76. G. Directory-signature lines identify which key is doing the signing by
  77. the SHA-1 digests of the authority's signing key and its identity key.
  78. H. The following items are downloaded by the SHA-1 of their contents:
  79. XXXX list them
  80. I. The following items are downloaded by the SHA-1 of an identity key:
  81. XXXX list them too.
  82. 4. The rendezvous protocol
  83. A. Hidden servers use SHA-1 to establish introduction points on relays,
  84. and relays use SHA-1 to check incoming introduction point
  85. establishment requests.
  86. B. Hidden servers use SHA-1 in multiple places when generating hidden
  87. service descriptors.
  88. C. Hidden servers performing basic-type client authorization for their
  89. services use SHA-1 when encrypting introduction points contained in
  90. hidden service descriptors.
  91. D. Hidden service directories use SHA-1 to check whether a given hidden
  92. service descriptor may be published under a given descriptor
  93. identifier or not.
  94. E. Hidden servers use SHA-1 to derive .onion addresses of their
  95. services.
  96. F. Clients use SHA-1 to generate the current hidden service descriptor
  97. identifiers for a given .onion address.
  98. G. Hidden servers use SHA-1 to remember digests of the first parts of
  99. Diffie-Hellman handshakes contained in introduction requests in order
  100. to detect replays.
  101. H. Hidden servers use SHA-1 during the Diffie-Hellman key exchange with
  102. a connecting client.
  103. 5. The bridge protocol
  104. XXXX write me
  105. 6. The Tor user interface
  106. A. We log information about servers based on SHA-1 hashes of their
  107. identity keys.
  108. B. The controller identifies servers based on SHA-1 hashes of their
  109. identity keys.
  110. C. Nearly all of our configuration options that list servers allow SHA-1
  111. hashes of their identity keys.
  112. E. The deprecated .exit notation uses SHA-1 hashes of identity keys