1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-11-24 18:22:24 -05:00

Update XEP-0300 to current standards; adding SHA-3 and BLAKE2

This commit is contained in:
Tobias Markmann 2016-05-16 22:32:20 +02:00
parent b92a2b7a23
commit c13fadb2e9
2 changed files with 95 additions and 8 deletions

View File

@ -10,7 +10,7 @@
<abstract>This document provides recommendations for the use of cryptographic hash functions in XMPP protocol extensions.</abstract> <abstract>This document provides recommendations for the use of cryptographic hash functions in XMPP protocol extensions.</abstract>
&LEGALNOTICE; &LEGALNOTICE;
<number>0300</number> <number>0300</number>
<status>Deferred</status> <status>Experimental</status>
<type>Standards Track</type> <type>Standards Track</type>
<sig>Standards</sig> <sig>Standards</sig>
<approver>Council</approver> <approver>Council</approver>
@ -23,6 +23,13 @@
&stpeter; &stpeter;
&mwild; &mwild;
&ksmith; &ksmith;
&tobias;
<revision>
<version>0.4</version>
<date>2016-05-16</date>
<initials>tobias</initials>
<remark><p>Updating to current knowledge on security of algorithms. Adding SHA-3 and BLAKE families of hashes.</p></remark>
</revision>
<revision> <revision>
<version>0.3</version> <version>0.3</version>
<date>2012-02-08</date> <date>2012-02-08</date>
@ -90,6 +97,7 @@
</section2> </section2>
<section2 topic='MD5' anchor='hashes-md5'> <section2 topic='MD5' anchor='hashes-md5'>
<p>The MD5 algorithm was commonly used in earlier generations of Internet technologies. As explained in &rfc6151;, the MD5 algorithm "is no longer acceptable where collision resistance is required" (such as in digital signatures) and "new protocol designs should not employ HMAC-MD5" either.</p> <p>The MD5 algorithm was commonly used in earlier generations of Internet technologies. As explained in &rfc6151;, the MD5 algorithm "is no longer acceptable where collision resistance is required" (such as in digital signatures) and "new protocol designs should not employ HMAC-MD5" either.</p>
<p>The currently known best attack against the pre-image resistance property of the MD5 algorithm is slightly better than the generic attack and was released 2009 <note>Yu Sasaki and Kazumaro Aoki, "Finding preimages in full MD5 faster than exhaustive search" &lt;<link url='https://doi.org/10.1007/978-3-642-01001-9_8'>https://doi.org/10.1007/978-3-642-01001-9_8</link>&gt;.</note>.</p>
<p>The primary use of MD5 in XMPP protocols is &xep0096;, which will be obsoleted by &xep0234;.</p> <p>The primary use of MD5 in XMPP protocols is &xep0096;, which will be obsoleted by &xep0234;.</p>
</section2> </section2>
<section2 topic='SHA-0' anchor='hashes-sha0'> <section2 topic='SHA-0' anchor='hashes-sha0'>
@ -97,13 +105,17 @@
</section2> </section2>
<section2 topic='SHA-1' anchor='hashes-sha1'> <section2 topic='SHA-1' anchor='hashes-sha1'>
<p>The SHA-1 algorithm was developed by the U.S. National Security Agency and first published in 1995 to fix problems with SHA-0. The SHA-1 algorithm is currently the most widely-deployed hash function. As described in &rfc4270; in 2005, attacks have been found against the collision resistance property of SHA-1. &rfc6194; notes that as of 2011 no published results indicate improvement upon those attacks. In addition, RFC 6194 notes that "[t]here are no known pre-image or second pre-image attacks that are specific to the full round SHA-1 algorithm". Furthermore, there is no indication that attacks on SHA-1 can be extended to HMAC-SHA-1. Nevertheless, the U.S. National Institute of Standards and Technology (NIST) has recommended that SHA-1 not be used for generating digital signatures after December 31, 2010.</p> <p>The SHA-1 algorithm was developed by the U.S. National Security Agency and first published in 1995 to fix problems with SHA-0. The SHA-1 algorithm is currently the most widely-deployed hash function. As described in &rfc4270; in 2005, attacks have been found against the collision resistance property of SHA-1. &rfc6194; notes that as of 2011 no published results indicate improvement upon those attacks. In addition, RFC 6194 notes that "[t]here are no known pre-image or second pre-image attacks that are specific to the full round SHA-1 algorithm". Furthermore, there is no indication that attacks on SHA-1 can be extended to HMAC-SHA-1. Nevertheless, the U.S. National Institute of Standards and Technology (NIST) has recommended that SHA-1 not be used for generating digital signatures after December 31, 2010.</p>
<p>In fall 2015 the SHA-1 collision cost has been estimated between 75K$ to 120K$ <note>The SHAppening: freestart collisions for SHA-1 &lt;<link url='https://sites.google.com/site/itstheshappening/'>https://sites.google.com/site/itstheshappening/</link>&gt;.</note>.</p>
<p>The SHA-1 algorithm is used in a number of XMPP protocols. See <link url='#existing'>Analysis of Existing XMPP Extensions</link> for details.</p> <p>The SHA-1 algorithm is used in a number of XMPP protocols. See <link url='#existing'>Analysis of Existing XMPP Extensions</link> for details.</p>
</section2> </section2>
<section2 topic='SHA-2' anchor='hashes-sha2'> <section2 topic='SHA-2' anchor='hashes-sha2'>
<p>The SHA-2 family of algorithms (SHA-224, SHA-256, SHA-384, and SHA-512) was developed by the U.S. National Security Agency and first published in 2001. Because SHA-2 is somewhat similar to SHA-1, it is thought that the security flaws with SHA-1 described above could be extended to SHA-2 (although no such attacks have yet been found on the full-round SHA-2 algorithms).</p> <p>The SHA-2 family of algorithms (SHA-224, SHA-256, SHA-384, and SHA-512) was developed by the U.S. National Security Agency and first published in 2001. Because SHA-2 is somewhat similar to SHA-1, it is thought that the security flaws with SHA-1 described above could be extended to SHA-2 (although no such attacks have yet been found on the full-round SHA-2 algorithms).</p>
</section2> </section2>
<section2 topic='SHA-3' anchor='hashes-sha3'> <section2 topic='SHA-3' anchor='hashes-sha3'>
<p>The U.S. National Institute of Standards and Technology (NIST) is currently holding a public competition to replace the SHA-1 and SHA-2 functions. The winner and resulting new standard will be announced in 2012. When this "SHA-3" technology is announced, the XSF will update this specification accordingly.</p> <p>The SHA-3 family of algorithms (SHA3-224, SHA3-256, SHA3-384, and SHA3-512) is based on the Keccak algortihm developed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, and was pubished by NIST on August 5, 2015 in <span class='ref'><link url='http://dx.doi.org/10.6028/NIST.FIPS.202'>FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</link></span> <note>FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions &lt;<link url='http://dx.doi.org/10.6028/NIST.FIPS.202'>http://dx.doi.org/10.6028/NIST.FIPS.202</link>&gt;.</note> after a public hash function competition.</p>
</section2>
<section2 topic='BLAKE2' anchor='hashes-blake2'>
<p>The BLAKE2 family of algorithms was designed by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. It is described in &rfc7693; and is designed to be highly secure and run well on both software and hardware platforms.</p>
</section2> </section2>
</section1> </section1>
@ -112,36 +124,64 @@
<table caption='Algorithm Recommendations'> <table caption='Algorithm Recommendations'>
<tr> <tr>
<th>Algorithm</th> <th>Algorithm</th>
<th>Digest Size</th>
<th>Support</th> <th>Support</th>
</tr> </tr>
<tr> <tr>
<td>MD2</td> <td>MD2</td>
<td>128 bits</td>
<td>MUST NOT</td> <td>MUST NOT</td>
</tr> </tr>
<tr> <tr>
<td>MD4</td> <td>MD4</td>
<td>128 bits</td>
<td>MUST NOT</td> <td>MUST NOT</td>
</tr> </tr>
<tr> <tr>
<td>MD5</td> <td>MD5</td>
<td>MAY</td> <td>128 bit</td>
<td>MUST NOT</td>
</tr> </tr>
<tr> <tr>
<td>SHA-1</td> <td>SHA-1</td>
<td>MUST</td> <td>160 bits</td>
<td>MAY</td>
</tr> </tr>
<tr> <tr>
<td>SHA-256</td> <td>SHA-256</td>
<td>MUST</td> <td>256 bits</td>
<td>SHOULD</td>
</tr> </tr>
<tr> <tr>
<td>SHA-512</td> <td>SHA-512</td>
<td>512 bits</td>
<td>MAY</td>
</tr>
<tr>
<td>SHA3-256</td>
<td>256 bits</td>
<td>SHOULD</td> <td>SHOULD</td>
</tr> </tr>
<tr>
<td>SHA3-512</td>
<td>512 bits</td>
<td>MAY</td>
</tr>
<tr>
<td>BLAKE2b256</td>
<td>256 bits</td>
<td>SHOULD</td>
</tr>
<tr>
<td>BLAKE2b512</td>
<td>512 bits</td>
<td>MAY</td>
</tr>
</table> </table>
<p>The current plan is to move SHA-1 to a SHOULD NOT, SHA-256, SHA3-256 and BLAKE2b256 to MUST, and SHA-512, SHA3-512, and BLAKE2b512 to SHOULD by the end of 2016.</p>
<p>These recommendations ought to be reviewed yearly by the &COUNCIL;.</p> <p>These recommendations ought to be reviewed yearly by the &COUNCIL;.</p>
</section1> </section1>
http://dx.doi.org/10.6028/NIST.FIPS.202
<section1 topic='Determining Support' anchor='disco'> <section1 topic='Determining Support' anchor='disco'>
<p>If an entity supports the protocol defined herein, it MUST report that by including a &xep0030; feature of "urn:xmpp:hashes:1" in response to disco#info requests, along with one service discovery feature for each algorithm it supports:</p> <p>If an entity supports the protocol defined herein, it MUST report that by including a &xep0030; feature of "urn:xmpp:hashes:1" in response to disco#info requests, along with one service discovery feature for each algorithm it supports:</p>
<example caption="Service discovery information request"><![CDATA[ <example caption="Service discovery information request"><![CDATA[
@ -159,9 +199,8 @@
type='result'> type='result'>
<query xmlns='http://jabber.org/protocol/disco#info'> <query xmlns='http://jabber.org/protocol/disco#info'>
<feature var='urn:xmpp:hashes:1'/> <feature var='urn:xmpp:hashes:1'/>
<feature var='urn:xmpp:hash-function-text-names:md5'/>
<feature var='urn:xmpp:hash-function-text-names:sha-1'/>
<feature var='urn:xmpp:hash-function-text-names:sha-256'/> <feature var='urn:xmpp:hash-function-text-names:sha-256'/>
<feature var='urn:xmpp:hash-function-text-names:sha3-256'/>
</query> </query>
</iq> </iq>
]]></example> ]]></example>
@ -195,6 +234,9 @@
<section2 topic='XEP-0231' anchor='existing-xep0231'> <section2 topic='XEP-0231' anchor='existing-xep0231'>
<p>&xep0231; supports hash agility through the structure of values for the 'cid' attribute, but does not mandate support for any particular algorithm.</p> <p>&xep0231; supports hash agility through the structure of values for the 'cid' attribute, but does not mandate support for any particular algorithm.</p>
</section2> </section2>
<section2 topic='XEP-0234' anchor='existing-xep0234'>
<p>&xep0234; supports hash agility in its application format to allow to verify integrity of transferred files. It does not mandate support for any particular algorithm.</p>
</section2>
<section2 topic='Recommendations' anchor='existing-recommendations'> <section2 topic='Recommendations' anchor='existing-recommendations'>
<p>Of the foregoing, the use in <cite>XEP-0115</cite> has the most significant security implications. However, there are other security issues with <cite>XEP-0115</cite> that make it likely to be replaced in a more wholesale fashion. Although it would be desirable for all XMPP extensions that use cryptographic hashes to incorporate hash agility, realistically this is difficult to achieve after the fact. For now, the XSF is encouraged to focus on new protocols (e.g., XEP-0234 and a replacement for XEP-0115 if there is consensus to work on the latter) rather than spending effort on migrating its existing uses of SHA-1 to the SHA-2 family of algorithms, and to the SHA-3 family when available. Naturally, these priorities might change if XMPP technologies experience significant attacks on existing extensions that use SHA-1.</p> <p>Of the foregoing, the use in <cite>XEP-0115</cite> has the most significant security implications. However, there are other security issues with <cite>XEP-0115</cite> that make it likely to be replaced in a more wholesale fashion. Although it would be desirable for all XMPP extensions that use cryptographic hashes to incorporate hash agility, realistically this is difficult to achieve after the fact. For now, the XSF is encouraged to focus on new protocols (e.g., XEP-0234 and a replacement for XEP-0115 if there is consensus to work on the latter) rather than spending effort on migrating its existing uses of SHA-1 to the SHA-2 family of algorithms, and to the SHA-3 family when available. Naturally, these priorities might change if XMPP technologies experience significant attacks on existing extensions that use SHA-1.</p>
</section2> </section2>
@ -227,11 +269,13 @@
<desc>Support for the MD5 hashing algorithm</desc> <desc>Support for the MD5 hashing algorithm</desc>
<doc>XEP-0300</doc> <doc>XEP-0300</doc>
</var> </var>
<var> <var>
<name>urn:xmpp:hash-function-text-names:sha-1</name> <name>urn:xmpp:hash-function-text-names:sha-1</name>
<desc>Support for the SHA-1 hashing algorithm</desc> <desc>Support for the SHA-1 hashing algorithm</desc>
<doc>XEP-0300</doc> <doc>XEP-0300</doc>
</var> </var>
<var> <var>
<name>urn:xmpp:hash-function-text-names:sha-224</name> <name>urn:xmpp:hash-function-text-names:sha-224</name>
<desc>Support for the SHA-224 hashing algorithm</desc> <desc>Support for the SHA-224 hashing algorithm</desc>
@ -252,6 +296,48 @@
<desc>Support for the SHA-512 hashing algorithm</desc> <desc>Support for the SHA-512 hashing algorithm</desc>
<doc>XEP-0300</doc> <doc>XEP-0300</doc>
</var> </var>
<var>
<name>urn:xmpp:hash-function-text-names:sha3-224</name>
<desc>Support for the SHA3-224 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
<var>
<name>urn:xmpp:hash-function-text-names:sha3-256</name>
<desc>Support for the SHA3-256 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
<var>
<name>urn:xmpp:hash-function-text-names:sha3-384</name>
<desc>Support for the SHA3-384 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
<var>
<name>urn:xmpp:hash-function-text-names:sha3-512</name>
<desc>Support for the SHA3-512 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
<var>
<name>urn:xmpp:hash-function-text-names:id-blake2b160</name>
<desc>Support for the BLAKE2b-160 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
<var>
<name>urn:xmpp:hash-function-text-names:id-blake2b256</name>
<desc>Support for the BLAKE2b-256 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
<var>
<name>urn:xmpp:hash-function-text-names:id-blake2b384</name>
<desc>Support for the BLAKE2b-384 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
<var>
<name>urn:xmpp:hash-function-text-names:id-blake2b512</name>
<desc>Support for the BLAKE2b-512 hashing algorithm</desc>
<doc>XEP-0300</doc>
</var>
]]></code> ]]></code>
</section2> </section2>
</section1> </section1>

View File

@ -646,6 +646,7 @@ THE SOFTWARE.
<!ENTITY rfc7572 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7572'>RFC 7572</link></span> <note>RFC 7572: Interworking between the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP): Instant Messaging &lt;<link url='http://tools.ietf.org/html/rfc7572'>http://tools.ietf.org/html/rfc7572</link>&gt;.</note>" > <!ENTITY rfc7572 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7572'>RFC 7572</link></span> <note>RFC 7572: Interworking between the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP): Instant Messaging &lt;<link url='http://tools.ietf.org/html/rfc7572'>http://tools.ietf.org/html/rfc7572</link>&gt;.</note>" >
<!ENTITY rfc7622 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7622'>RFC 7622</link></span> <note>RFC 7622: Extensible Messaging and Presence Protocol (XMPP): Address Format &lt;<link url='http://tools.ietf.org/html/rfc7622'>http://tools.ietf.org/html/rfc7622</link>&gt;.</note>" > <!ENTITY rfc7622 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7622'>RFC 7622</link></span> <note>RFC 7622: Extensible Messaging and Presence Protocol (XMPP): Address Format &lt;<link url='http://tools.ietf.org/html/rfc7622'>http://tools.ietf.org/html/rfc7622</link>&gt;.</note>" >
<!ENTITY rfc7395 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7395'>RFC 7395</link></span> <note>RFC 7395: An Extensible Messaging and Presence Protocol (XMPP) Subprotocol for WebSocket &lt;<link url='http://tools.ietf.org/html/rfc7395'>http://tools.ietf.org/html/rfc7395</link>&gt;.</note>" > <!ENTITY rfc7395 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7395'>RFC 7395</link></span> <note>RFC 7395: An Extensible Messaging and Presence Protocol (XMPP) Subprotocol for WebSocket &lt;<link url='http://tools.ietf.org/html/rfc7395'>http://tools.ietf.org/html/rfc7395</link>&gt;.</note>" >
<!ENTITY rfc7693 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7693'>RFC 7693</link></span> <note>RFC 7693: The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC) &lt;<link url='http://tools.ietf.org/html/rfc7693'>http://tools.ietf.org/html/rfc7693</link>&gt;.</note>" >
<!ENTITY rfc7712 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7712'>RFC 7712</link></span> <note>RFC 7712: Domain Name Associations (DNA) in the Extensible Messaging and Presence Protocol (XMPP)&lt;<link url='http://tools.ietf.org/html/rfc7712'>http://tools.ietf.org/html/rfc7712</link>&gt;.</note>" > <!ENTITY rfc7712 "<span class='ref'><link url='http://tools.ietf.org/html/rfc7712'>RFC 7712</link></span> <note>RFC 7712: Domain Name Associations (DNA) in the Extensible Messaging and Presence Protocol (XMPP)&lt;<link url='http://tools.ietf.org/html/rfc7712'>http://tools.ietf.org/html/rfc7712</link>&gt;.</note>" >
<!-- Internet-Drafts --> <!-- Internet-Drafts -->