More notes and an extra element in xxx-what-uses-sha1.txt

2024-11-10 21:23:58 +01:00 · 2009-05-02 12:39:56 -04:00 · 2009-05-02 12:39:56 -04:00 · 4f9b12e248
commit 4f9b12e248
parent e188ab9e75
1 changed files with 39 additions and 12 deletions
--- a/doc/spec/proposals/ideas/xxx-what-uses-sha1.txt
+++ b/doc/spec/proposals/ideas/xxx-what-uses-sha1.txt
@ -1,8 +1,8 @@
 Filename: xxx-what-uses-sha1.txt
 Title: Where does Tor use SHA-1 today?
 Version: $Revision$
-Last-Modified: $Date$
-Author: Nick Mathewson
+Last-Modified: 1-May-2009
+Authors: Nick Mathewson, Marian
 Created: 30-Dec-2008
 Status: Meta

@ -15,9 +15,15 @@ Introduction:
   too long.

   According to smart crypto people, the SHA-2 functions (SHA-256, etc)
-   share too much of SHA-1's structure to be very good.  Some people
-   like other hash functions; most of these have not seen enough
-   analysis to be widely regarded as an extra-good idea.
+   share too much of SHA-1's structure to be very good. RIPEMD-160 is 
+   also based on flawed past hashes.  Some people think other hash 
+   functions (e.g. Whirlpool and Tiger) are not as bad; most of these 
+   have not seen enough analysis to be used yet. 
+
+   Here is a 2006 paper about hash algorithms.
+   http://www.sane.nl/sane2006/program/final-papers/R10.pdf
+
+   (Todo: Ask smart crypto people.)

   By 2012, the NIST SHA-3 competition will be done, and with luck we'll
   have something good to switch too.  But it's probably a bad idea to
@ -85,19 +91,41 @@ What Tor uses hashes for today:

   A. All signatures are generated on the SHA-1 of their corresponding
      documents, using PKCS1 padding.
+      * In dir-spec.txt, section 1.3, it states, 
+          "SIGNATURE" Object contains a signature (using the signing key) 
+          of the PKCS1-padded digest of the entire document, taken from 
+          the beginning of the Initial item, through the newline after 
+          the Signature Item's keyword and its arguments."
+        So our attacker, Malcom, could generate a collision for the hash 
+        that is signed. Thus, a second pre-image attack is possible. 
+        Vulnerable to regular collision attack only if key is stolen.
+        If the key is stolen, Malcom could distribute two different 
+        copies of the document which have the same hash. Maybe useful
+        for a partitioning attack?
   B. Router descriptors identify their corresponding extra-info documents
      by their SHA-1 digest.
+      * A third party might use a second pre-image attack to generate a 
+        false extra-info document that has the same hash. The router 
+        itself might use a regular collision attack to generate multiple 
+        extra-info documents with the same hash, which might be useful 
+        for a partitioning attack.
   C. Fingerprints in router descriptors are taken using SHA-1.
-   D. Fingerprints in authority certs are taken using SHA-1.
-   E. Fingerprints in dir-source lines of votes and consensuses are taken
+      * The fingerprint must match the public key. Not sure what would 
+        happen if two routers had different public keys but the same 
+        fingerprint. There could perhaps be unpredictable behaviour.
+   D. In router descriptors, routers in the same "Family" may be listed 
+      by server nicknames or hexdigests.
+      * Does not seem critical.
+   E. Fingerprints in authority certs are taken using SHA-1.
+   F. Fingerprints in dir-source lines of votes and consensuses are taken
      using SHA-1.
-   F. Networkstatuses refer to routers identity keys and descriptors by their
+   G. Networkstatuses refer to routers identity keys and descriptors by their
      SHA-1 digests.
-   G. Directory-signature lines identify which key is doing the signing by
+   H. Directory-signature lines identify which key is doing the signing by
      the SHA-1 digests of the authority's signing key and its identity key.
-   H. The following items are downloaded by the SHA-1 of their contents:
+   I. The following items are downloaded by the SHA-1 of their contents:
      XXXX list them
-   I. The following items are downloaded by the SHA-1 of an identity key:
+   J. The following items are downloaded by the SHA-1 of an identity key:
      XXXX list them too.

 4. The rendezvous protocol
@ -137,4 +165,3 @@ What Tor uses hashes for today:
      hashes of their identity keys.
   E. The deprecated .exit notation uses SHA-1 hashes of identity keys

-