More notes and an extra element in xxx-what-uses-sha1.txt

1 files changed, 39 insertions, 12 deletions

diff --git a/proposals/ideas/xxx-what-uses-sha1.txt b/proposals/ideas/xxx-what-uses-sha1.txt
index 9b6e20c..1e62112 100644
--- a/proposals/ideas/xxx-what-uses-sha1.txt
+++ b/proposals/ideas/xxx-what-uses-sha1.txt
@@ -1,8 +1,8 @@
 Filename: xxx-what-uses-sha1.txt
 Title: Where does Tor use SHA-1 today?
 Version: $Revision$
-Last-Modified: $Date$
-Author: Nick Mathewson
+Last-Modified: 1-May-2009
+Authors: Nick Mathewson, Marian
 Created: 30-Dec-2008
 Status: Meta
 
@@ -15,9 +15,15 @@ Introduction:
    too long.
 
    According to smart crypto people, the SHA-2 functions (SHA-256, etc)
-   share too much of SHA-1's structure to be very good.  Some people
-   like other hash functions; most of these have not seen enough
-   analysis to be widely regarded as an extra-good idea.
+   share too much of SHA-1's structure to be very good. RIPEMD-160 is 
+   also based on flawed past hashes.  Some people think other hash 
+   functions (e.g. Whirlpool and Tiger) are not as bad; most of these 
+   have not seen enough analysis to be used yet. 
+
+   Here is a 2006 paper about hash algorithms.
+   http://www.sane.nl/sane2006/program/final-papers/R10.pdf
+
+   (Todo: Ask smart crypto people.)
 
    By 2012, the NIST SHA-3 competition will be done, and with luck we'll
    have something good to switch too.  But it's probably a bad idea to
@@ -85,19 +91,41 @@ What Tor uses hashes for today:
 
    A. All signatures are generated on the SHA-1 of their corresponding
       documents, using PKCS1 padding.
+      * In dir-spec.txt, section 1.3, it states, 
+          "SIGNATURE" Object contains a signature (using the signing key) 
+          of the PKCS1-padded digest of the entire document, taken from 
+          the beginning of the Initial item, through the newline after 
+          the Signature Item's keyword and its arguments."
+        So our attacker, Malcom, could generate a collision for the hash 
+        that is signed. Thus, a second pre-image attack is possible. 
+        Vulnerable to regular collision attack only if key is stolen.
+        If the key is stolen, Malcom could distribute two different 
+        copies of the document which have the same hash. Maybe useful
+        for a partitioning attack?
    B. Router descriptors identify their corresponding extra-info documents
       by their SHA-1 digest.
+      * A third party might use a second pre-image attack to generate a 
+        false extra-info document that has the same hash. The router 
+        itself might use a regular collision attack to generate multiple 
+        extra-info documents with the same hash, which might be useful 
+        for a partitioning attack.
    C. Fingerprints in router descriptors are taken using SHA-1.
-   D. Fingerprints in authority certs are taken using SHA-1.
-   E. Fingerprints in dir-source lines of votes and consensuses are taken
+      * The fingerprint must match the public key. Not sure what would 
+        happen if two routers had different public keys but the same 
+        fingerprint. There could perhaps be unpredictable behaviour.
+   D. In router descriptors, routers in the same "Family" may be listed 
+      by server nicknames or hexdigests.
+      * Does not seem critical.
+   E. Fingerprints in authority certs are taken using SHA-1.
+   F. Fingerprints in dir-source lines of votes and consensuses are taken
       using SHA-1.
-   F. Networkstatuses refer to routers identity keys and descriptors by their
+   G. Networkstatuses refer to routers identity keys and descriptors by their
       SHA-1 digests.
-   G. Directory-signature lines identify which key is doing the signing by
+   H. Directory-signature lines identify which key is doing the signing by
       the SHA-1 digests of the authority's signing key and its identity key.
-   H. The following items are downloaded by the SHA-1 of their contents:
+   I. The following items are downloaded by the SHA-1 of their contents:
       XXXX list them
-   I. The following items are downloaded by the SHA-1 of an identity key:
+   J. The following items are downloaded by the SHA-1 of an identity key:
       XXXX list them too.
 
 4. The rendezvous protocol
@@ -137,4 +165,3 @@ What Tor uses hashes for today:
       hashes of their identity keys.
    E. The deprecated .exit notation uses SHA-1 hashes of identity keys
 
-