Remove support for SHA-1 from BIP0070 #239

pull dionyziz wants to merge 1 commits into bitcoin:master from dionyziz:sha1_obsolete changing 1 files +3 −5
  1. dionyziz commented at 1:11 am on November 13, 2015: contributor

    SHA-1 has long been considered an insecure hashing algorithm. While there have not been any collisions found yet, there are indications that actual collisions are imminent.

    Since 2011, we have known about the hash collision attack by Marc Stevens [0] which brings down the complexity to approximately 2^65.

    However, the recent attack by Stevens, Karpman, Peyrin on October 8th, 2015 which allowed them to construct and publish a freestart collision attack on SHA-1’s compression function (termed the “SHAppening”) with only 2^57 evaluations [1] is even more worrysome.

    Under these circumstances, PKI CAs are already discussing the sunsetting of SHA1 as a hash function, as it is considered cryptographically insecure. These discussions have led to decisions to stop using SHA-1 in PKI certificates. Specifically [2]

    1. SHA-1 certificates will no longer be issued after the end of 2015.
    2. SHA-1 certificates issued earlier will no longer be accepted after the end of 2016.

    As the CA discussions indicate, it is not sufficient to pull SHA-1 support from CAs. As MD5 has shown, hash functions will have to be pulled from applications (such as the browser or BIP0070 for bitcoin) for the hashes to be discontinued. Therefore, it is not enough for us to rely on CAs following the deadlines.

    As BIP0070 concerns the security of payments, we should discontinue the acceptance or recommendation of SHA-1 as a hash method for our protocol sooner than later.

    This patch removes SHA-1 support for X.509 certificates from BIP0070.

    [0] https://marc-stevens.nl/research/papers/PhD%20Thesis%20Marc%20Stevens%20-%20Attacks%20on%20Hash%20Functions%20and%20Applications.pdf [1] https://sites.google.com/site/itstheshappening/ [2] https://cabforum.org/pipermail/public/2015-November/006280.html

  2. Remove support for SHA-1
    SHA-1 has long been considered an insecure hashing algorithm. While
    there have not been any collisions found yet, there are indications that
    actual collisions are imminent.
    
    Since 2011, we have known about the hash collision attack by Marc
    Stevens [0] which brings down the complexity to approximately 2^65.
    
    However, the recent attack by Stevens, Karpman, Peyrin on October 8th,
    2015 which allowed them to construct and publish a freestart collision
    attack on SHA-1's compression function (termed the "SHAppening") with
    only 2^57 evaluations [1] is even more worrysome.
    
    Under these circumstances, PKI CAs are already discussing the sunsetting
    of SHA1 as a hash function, as it is considered cryptographically
    insecure. These discussions have led to decisions to stop using SHA-1 in
    PKI certificates. Specifically [2]
    
    1. SHA-1 certificates will no longer be issued after the end of 2015.
    2. SHA-1 certificates issued earlier will no longer be accepted after
    the end of 2016.
    
    As the CA discussions indicate, it is not sufficient to pull SHA-1
    support from CAs. As MD5 has shown, hash functions will have to be
    pulled from applications (such as the browser or BIP0070 for bitcoin)
    for the hashes to be discontinued. Therefore, it is not enough for us to
    rely on CAs following the deadlines.
    
    As BIP0070 concerns the security of payments, we should discontinue the
    acceptance or recommendation of SHA-1 as a hash method for our protocol
    sooner than later.
    
    This patch removes SHA-1 support for X.509 certificates from BIP0070.
    
    [0]
    https://marc-stevens.nl/research/papers/PhD%20Thesis%20Marc%20Stevens%20-%20Attacks%20on%20Hash%20Functions%20and%20Applications.pdf
    [1] https://sites.google.com/site/itstheshappening/
    [2] https://cabforum.org/pipermail/public/2015-November/006280.html
    e54d129418
  3. dionyziz force-pushed on Nov 13, 2015
  4. dionyziz renamed this:
    Remove support for SHA-1.
    Remove support for SHA-1
    on Nov 13, 2015
  5. dionyziz renamed this:
    Remove support for SHA-1
    Remove support for SHA-1 from BIP0070
    on Nov 13, 2015
  6. afk11 commented at 1:34 am on November 13, 2015: contributor

    BIP’s normally don’t change after they’re accepted. I notice the payment_details_version is not captured by the signature, so bumping the version isn’t a safe way to indicate dropping SHA1. A new field in PaymentDetails might work though.

    Still, NACK for simply deleting support for SHA1, the protocol has been implemented many times by now.

  7. dionyziz commented at 1:35 am on November 13, 2015: contributor
    What is the recommended method for marking something obsolete?
  8. hoffmabc commented at 1:50 am on November 13, 2015: none
    What exactly does “been implemented many times by now” mean? There needs to be a plan to deprecate SHA-1 at a minimum I would think. Even US government agencies have had plenty of time to migrate to SHA-2 by now.
  9. afk11 commented at 2:12 am on November 13, 2015: contributor
    @hoffmabc I’m referring to BIP70. Since there are several libraries, wallets, and payment processors with support for this and the change breaks compatibility, the proposal needs to address actually upgrading the protocol. @dionyziz Not sure, probably a new field on the PaymentDetails message. Maybe ask IRC / the mailing list.
  10. luke-jr commented at 6:33 am on November 13, 2015: member
    Right, BIP 70 cannot be changed at this point. You’ll need a new BIP proposing a change to the payment protocol.
  11. luke-jr closed this on Nov 13, 2015

  12. luke-jr added the label invalid on Nov 13, 2015
  13. luke-jr added the label Proposed BIP modification on Nov 13, 2015
  14. jim618 cross-referenced this on Nov 19, 2015 from issue SHA1 likely to be removed from BIP70 by jim618

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-26 16:10 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me