Remove support for SHA-1 from BIP0070 #239

1. 
   dionyziz commented at 1:11 am on November 13, 2015: contributor

   SHA-1 has long been considered an insecure hashing algorithm. While there have not been any collisions found yet, there are indications that actual collisions are imminent.

   Since 2011, we have known about the hash collision attack by Marc Stevens [0] which brings down the complexity to approximately 2^65.

   However, the recent attack by Stevens, Karpman, Peyrin on October 8th, 2015 which allowed them to construct and publish a freestart collision attack on SHA-1’s compression function (termed the “SHAppening”) with only 2^57 evaluations [1] is even more worrysome.

   Under these circumstances, PKI CAs are already discussing the sunsetting of SHA1 as a hash function, as it is considered cryptographically insecure. These discussions have led to decisions to stop using SHA-1 in PKI certificates. Specifically [2]

   1. SHA-1 certificates will no longer be issued after the end of 2015.
   2. SHA-1 certificates issued earlier will no longer be accepted after the end of 2016.

   As the CA discussions indicate, it is not sufficient to pull SHA-1 support from CAs. As MD5 has shown, hash functions will have to be pulled from applications (such as the browser or BIP0070 for bitcoin) for the hashes to be discontinued. Therefore, it is not enough for us to rely on CAs following the deadlines.

   As BIP0070 concerns the security of payments, we should discontinue the acceptance or recommendation of SHA-1 as a hash method for our protocol sooner than later.

   This patch removes SHA-1 support for X.509 certificates from BIP0070.

   [0] https://marc-stevens.nl/research/papers/PhD%20Thesis%20Marc%20Stevens%20-%20Attacks%20on%20Hash%20Functions%20and%20Applications.pdf [1] https://sites.google.com/site/itstheshappening/ [2] https://cabforum.org/pipermail/public/2015-November/006280.html

2. Remove support for SHA-1

   SHA-1 has long been considered an insecure hashing algorithm. While
   there have not been any collisions found yet, there are indications that
   actual collisions are imminent.
   
   Since 2011, we have known about the hash collision attack by Marc
   Stevens [0] which brings down the complexity to approximately 2^65.
   
   However, the recent attack by Stevens, Karpman, Peyrin on October 8th,
   2015 which allowed them to construct and publish a freestart collision
   attack on SHA-1's compression function (termed the "SHAppening") with
   only 2^57 evaluations [1] is even more worrysome.
   
   Under these circumstances, PKI CAs are already discussing the sunsetting
   of SHA1 as a hash function, as it is considered cryptographically
   insecure. These discussions have led to decisions to stop using SHA-1 in
   PKI certificates. Specifically [2]
   
   1. SHA-1 certificates will no longer be issued after the end of 2015.
   2. SHA-1 certificates issued earlier will no longer be accepted after
   the end of 2016.
   
   As the CA discussions indicate, it is not sufficient to pull SHA-1
   support from CAs. As MD5 has shown, hash functions will have to be
   pulled from applications (such as the browser or BIP0070 for bitcoin)
   for the hashes to be discontinued. Therefore, it is not enough for us to
   rely on CAs following the deadlines.
   
   As BIP0070 concerns the security of payments, we should discontinue the
   acceptance or recommendation of SHA-1 as a hash method for our protocol
   sooner than later.
   
   This patch removes SHA-1 support for X.509 certificates from BIP0070.
   
   [0]
   https://marc-stevens.nl/research/papers/PhD%20Thesis%20Marc%20Stevens%20-%20Attacks%20on%20Hash%20Functions%20and%20Applications.pdf
   [1] https://sites.google.com/site/itstheshappening/
   [2] https://cabforum.org/pipermail/public/2015-November/006280.html

   e54d129418
3. dionyziz force-pushed on Nov 13, 2015
4. dionyziz renamed this:
   Remove support for SHA-1.
   Remove support for SHA-1
   on Nov 13, 2015
5. dionyziz renamed this:
   Remove support for SHA-1
   Remove support for SHA-1 from BIP0070
   on Nov 13, 2015
6. 
   afk11 commented at 1:34 am on November 13, 2015: contributor

   BIP’s normally don’t change after they’re accepted. I notice the payment_details_version is not captured by the signature, so bumping the version isn’t a safe way to indicate dropping SHA1. A new field in PaymentDetails might work though.

   Still, NACK for simply deleting support for SHA1, the protocol has been implemented many times by now.

7. 
   dionyziz commented at 1:35 am on November 13, 2015: contributor

   What is the recommended method for marking something obsolete?
8. 
   hoffmabc commented at 1:50 am on November 13, 2015: none

   What exactly does “been implemented many times by now” mean? There needs to be a plan to deprecate SHA-1 at a minimum I would think. Even US government agencies have had plenty of time to migrate to SHA-2 by now.
9. 
   afk11 commented at 2:12 am on November 13, 2015: contributor

   @hoffmabc I’m referring to BIP70. Since there are several libraries, wallets, and payment processors with support for this and the change breaks compatibility, the proposal needs to address actually upgrading the protocol. @dionyziz Not sure, probably a new field on the PaymentDetails message. Maybe ask IRC / the mailing list.
10. 
    luke-jr commented at 6:33 am on November 13, 2015: member

    Right, BIP 70 cannot be changed at this point. You’ll need a new BIP proposing a change to the payment protocol.
11. luke-jr closed this on Nov 13, 2015

    ---

12. luke-jr added the label invalid on Nov 13, 2015
13. luke-jr added the label Proposed BIP modification on Nov 13, 2015
14. jim618 cross-referenced this on Nov 19, 2015 from issue SHA1 likely to be removed from BIP70 by jim618

Contributors
dionyziz afk11 hoffmabc luke-jr

Labels
invalid Proposed BIP modification