summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/spec/proposals/ideas/xxx-what-uses-sha1.txt51
1 files changed, 39 insertions, 12 deletions
diff --git a/doc/spec/proposals/ideas/xxx-what-uses-sha1.txt b/doc/spec/proposals/ideas/xxx-what-uses-sha1.txt
index 9b6e20c586..1e621129be 100644
--- a/doc/spec/proposals/ideas/xxx-what-uses-sha1.txt
+++ b/doc/spec/proposals/ideas/xxx-what-uses-sha1.txt
@@ -1,8 +1,8 @@
Filename: xxx-what-uses-sha1.txt
Title: Where does Tor use SHA-1 today?
Version: $Revision$
-Last-Modified: $Date$
-Author: Nick Mathewson
+Last-Modified: 1-May-2009
+Authors: Nick Mathewson, Marian
Created: 30-Dec-2008
Status: Meta
@@ -15,9 +15,15 @@ Introduction:
too long.
According to smart crypto people, the SHA-2 functions (SHA-256, etc)
- share too much of SHA-1's structure to be very good. Some people
- like other hash functions; most of these have not seen enough
- analysis to be widely regarded as an extra-good idea.
+ share too much of SHA-1's structure to be very good. RIPEMD-160 is
+ also based on flawed past hashes. Some people think other hash
+ functions (e.g. Whirlpool and Tiger) are not as bad; most of these
+ have not seen enough analysis to be used yet.
+
+ Here is a 2006 paper about hash algorithms.
+ http://www.sane.nl/sane2006/program/final-papers/R10.pdf
+
+ (Todo: Ask smart crypto people.)
By 2012, the NIST SHA-3 competition will be done, and with luck we'll
have something good to switch too. But it's probably a bad idea to
@@ -85,19 +91,41 @@ What Tor uses hashes for today:
A. All signatures are generated on the SHA-1 of their corresponding
documents, using PKCS1 padding.
+ * In dir-spec.txt, section 1.3, it states,
+ "SIGNATURE" Object contains a signature (using the signing key)
+ of the PKCS1-padded digest of the entire document, taken from
+ the beginning of the Initial item, through the newline after
+ the Signature Item's keyword and its arguments."
+ So our attacker, Malcom, could generate a collision for the hash
+ that is signed. Thus, a second pre-image attack is possible.
+ Vulnerable to regular collision attack only if key is stolen.
+ If the key is stolen, Malcom could distribute two different
+ copies of the document which have the same hash. Maybe useful
+ for a partitioning attack?
B. Router descriptors identify their corresponding extra-info documents
by their SHA-1 digest.
+ * A third party might use a second pre-image attack to generate a
+ false extra-info document that has the same hash. The router
+ itself might use a regular collision attack to generate multiple
+ extra-info documents with the same hash, which might be useful
+ for a partitioning attack.
C. Fingerprints in router descriptors are taken using SHA-1.
- D. Fingerprints in authority certs are taken using SHA-1.
- E. Fingerprints in dir-source lines of votes and consensuses are taken
+ * The fingerprint must match the public key. Not sure what would
+ happen if two routers had different public keys but the same
+ fingerprint. There could perhaps be unpredictable behaviour.
+ D. In router descriptors, routers in the same "Family" may be listed
+ by server nicknames or hexdigests.
+ * Does not seem critical.
+ E. Fingerprints in authority certs are taken using SHA-1.
+ F. Fingerprints in dir-source lines of votes and consensuses are taken
using SHA-1.
- F. Networkstatuses refer to routers identity keys and descriptors by their
+ G. Networkstatuses refer to routers identity keys and descriptors by their
SHA-1 digests.
- G. Directory-signature lines identify which key is doing the signing by
+ H. Directory-signature lines identify which key is doing the signing by
the SHA-1 digests of the authority's signing key and its identity key.
- H. The following items are downloaded by the SHA-1 of their contents:
+ I. The following items are downloaded by the SHA-1 of their contents:
XXXX list them
- I. The following items are downloaded by the SHA-1 of an identity key:
+ J. The following items are downloaded by the SHA-1 of an identity key:
XXXX list them too.
4. The rendezvous protocol
@@ -137,4 +165,3 @@ What Tor uses hashes for today:
hashes of their identity keys.
E. The deprecated .exit notation uses SHA-1 hashes of identity keys
-