IETF Logo Mail Archive

Re: A review of hash function brittleness in OpenPGP

Jon Callas <jon@callas.org> Fri, 09 January 2009 23:43 UTC

Return-Path: <owner-ietf-openpgp@mail.imc.org>
X-Original-To: ietfarch-openpgp-archive@core3.amsl.com
Delivered-To: ietfarch-openpgp-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFF803A684F for <ietfarch-openpgp-archive@core3.amsl.com>; Fri, 9 Jan 2009 15:43:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.766
X-Spam-Level:
X-Spam-Status: No, score=-1.766 tagged_above=-999 required=5 tests=[AWL=-0.833, BAYES_00=-2.599, SARE_FWDLOOK=1.666]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNhpZW6XRWrS for <ietfarch-openpgp-archive@core3.amsl.com>; Fri, 9 Jan 2009 15:43:34 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 17EA13A6819 for <openpgp-archive@ietf.org>; Fri, 9 Jan 2009 15:43:33 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n09NSQbV048916 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 9 Jan 2009 16:28:26 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n09NSQKS048915; Fri, 9 Jan 2009 16:28:26 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [66.93.68.160]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n09NSEAe048909 for <ietf-openpgp@imc.org>; Fri, 9 Jan 2009 16:28:24 -0700 (MST) (envelope-from jon@callas.org)
Received: from localhost (localhost [127.0.0.1]) by merrymeet.com (Postfix) with ESMTP id D02832E0DF for <ietf-openpgp@imc.org>; Fri, 9 Jan 2009 15:28:40 -0800 (PST)
Received: from merrymeet.com ([127.0.0.1]) by localhost (host.domain.tld [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 13602-08 for <ietf-openpgp@imc.org>; Fri, 9 Jan 2009 15:28:33 -0800 (PST)
Received: from keys.merrymeet.com (keys.merrymeet.com [66.93.68.161]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTPA id 868952E0C9 for <ietf-openpgp@imc.org>; Fri, 9 Jan 2009 15:28:33 -0800 (PST)
Received: from [192.168.2.91] ([64.1.215.244]) by keys.merrymeet.com (PGP Universal service); Fri, 09 Jan 2009 14:29:07 -0800
X-PGP-Universal: processed; by keys.merrymeet.com on Fri, 09 Jan 2009 14:29:07 -0800
Cc: IETF OpenPGP Working Group <ietf-openpgp@imc.org>, Monkeysphere Developers <monkeysphere@lists.riseup.net>
Message-Id: <1DE80143-9BD3-4369-BFD4-69AE591FD25C@callas.org>
From: Jon Callas <jon@callas.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
In-Reply-To: <49664D21.50403@fifthhorseman.net>
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: A review of hash function brittleness in OpenPGP
Date: Fri, 09 Jan 2009 15:28:03 -0800
References: <49664D21.50403@fifthhorseman.net>
X-Mailer: Apple Mail (2.929.2)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Maia Mailguard
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jan 8, 2009, at 10:59 AM, Daniel Kahn Gillmor wrote:

> * PGP Signed by an unknown key
>
> Hey folks--
>
> I've been trying to evaluate RFC 4880's resistance to a hash function
> compromise in light of the recent activity exploiting weaknesses  
> MD-5 in
> That Other PKI [0].
>
> I'm quite pleased with the bulk of what i've found.  OpenPGP's use of
> message digests is almost entirely parameterized, leaving the door  
> open
> to forward-looking adoption of new hash algorithms and the smooth
> deprecation as older ones are demonstrated to be weak.

Great comments.

>
>
> So I've been looking for places in the spec where the choice of digest
> function is not parameterized.  In particular, explicit and hardcoded
> reliance on SHA-1 could become problematic as it is already being
> deprecated.  For example, reliance on SHA-1 must be eliminated in  
> all US
> Gov't federal agencies by the end of 2010 [1].
>
> Here are the concerns i've found so far:
>
> MDC
> ---
>
> The modification detection packets (sections 5.13 and 5.14) explicitly
> specify SHA-1, and basically acknowledge that this choice may need  
> to be
> made more flexible in the future.

Yes.

Let me add an historic note. The MDC occupies an odd position.

There is an obvious, easy, supported way to create an integrity- 
protected message: you sign it.

The problem is that an unsigned message is pretty vulnerable to many  
problems from cut-and-paste attacks on. A number of people wanted to  
do something about that problem -- you want an unsigned message that  
has a reasonable guarantee that it arrived whole.

Most people didn't see the threat. Outside this working group, almost  
no one did. Even inside the working group we were ambivalent about it.

The solution as you see it was a compromise among us, and as a  
compromise it means we're all a bit ambivalent about it. In  
retrospect, an MAC would have been a better solution, but brought up a  
new set of issues like what key to use.

HMACs were developed *during* the MDC discussions, and the proof of  
security for HMAC was done *after* we all agreed. The implementors  
didn't want to do an HMAC for performance reasons, especially for  
streaming, and again -- there was no proof of security. HMAC was this  
new thing that Hugo and Shai did. Since then, there are also obvious  
answers for KDFs as well.

Despite this, it's a fine construction. It does what it was intended  
to do, and the known weaknesses of SHA-1 do not affect it at all. We  
are not relying on collision-resistance, we are relying on one- 
wayness. Remember, this is an *unauthenticated*, but whole message. If  
you want to authenticate the message, we have some nice digital  
signatures to offer you.

Since then, there have been several attacks against the OpenPGP  
formats that are thwarted by the MDC. If we want to upgrade the MDC,  
we know how to do it, that's outlined in 4880.

(Let me put on my hash-designer's hat for a moment. In Skein, we  
created a one-pass MAC construction that can replace HMAC. It also has  
a proof of security. I think it would be best to wait a while longer  
to see what comes out of the SHA3 competition, because it's likely  
that it will yield KDFs and hash-based MACs that answer all of the  
concerns that lead us to the present MDC compromise. They'll be fast,  
easy, and one-pass.)

>
>
> Fingerprints
> ------------
>
> Fingerprints (section 12.2) are specified as an SHA-1 computation.
> While this isn't an explicit reliance on SHA-1 for cryptographic
> security (and the RFC makes it clear that there is a non-zero chance  
> of
> fingerprint collisions), the real-world use of fingerprints as unique
> identifiers for keys poses a serious risk to OpenPGP infrastructure
> should SHA-1 become further compromised.

There's a proposal for a new way to do fingerprints. I will do it the  
injustice of summarizing it:

You express a fingerprint as the algorithm number, a colon, and then  
the hexadecimal. Truncations are handled in some obvious manner.  
Presently, for better or worse, a key id is the low-order 64 bits of a  
fingerprint, so we probably have to stick with that, despite the  
gnashing of teeth many of us will have.

Under that proposal, one of my fingerprints (DFA7 517E 2BF4 6834 6C15   
C029 B137 9D59 9383 DE06) could also be expressed as (2:DFA7 517E 2BF4  
6834 6C15  C029 B137 9D59 9383 DE06) because SHA-1 has the algorithm  
number of 2.

All we need is someone to write this up as an I-D -- or code it up  
preemptively.

>
>
> Revocation keys
> ---------------
>
> Section 5.2.3.15 defines a way that key A can allow key B to
> authoritatively issue revocation signatures on A's behalf, including  
> key
> revocation (sigtype 0x20), subkey revocation (sigtype 0x28), and
> certification revocation (sigtype 0x30).  However, this mechanism  
> relies
> on the fingerprint of B being unique.  Since the fingerprint itself is
> bound to SHA-1, this presents a risk to users of this feature of the
> specification should SHA-1 become further compromised.
>

Solved by upgrading fingerprints and three more paragraphs of text.


>
>
> As the IETF working group for OpenPGP, we probably should start  
> actively
> working to resolve these issues so we can have infrastructure in place
> well before SHA-1 is similarly compromised.  Any suggestions?  I'm new
> to the WG, so i don't have any experience addressing concerns like  
> this.
>
> I'm particularly concerned about fingerprints, since they is used  
> widely
> in the real world (e.g. i have my fingerprint on my business card).  I
> can imagine relatively straightforward technical measures to resolve  
> the
> other concerns.
>
> Also, it's quite likely that i've missed things in my reading of the
> spec.  If anyone sees any other problematic areas, it would be great  
> to
> air them as soon as possible.

Are you volunteering to write a document?


>
>
> Regards,
>
> 	--dkg
>
> [0] http://www.phreedom.org/research/rogue-ca/
> [1] http://csrc.nist.gov/groups/ST/hash/statement.html
>
>
> * Unknown Key
> * 0xD21739E9


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII

wj8DBQFJZ8+zsTedWZOD3gYRAkutAJ0Wo0iRVUNDaF1KAw//GocHyI+PbwCgzdZ8
pWhsc6izhtYXW5MYUnkiwVA=
=6Xt5
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email