multiprocessing.connection challenge implicitly uses MD5

[davidmalcolm]

BPO	17258
Nosy	@warsaw, @doko42, @pitrou, @tiran, @davidmalcolm, @miss-islington
PRs	bpo-17258: use sha256 instead of md5 within multiprocessing.connection #16264 gh-61460: Stronger HMAC in multiprocessing #20380 bpo-17258: Add requires_hashdigest to multiprocessing tests #20412 [3.9] bpo-17258: Add requires_hashdigest to multiprocessing tests (GH-20412) #20626
Files	avoid-implicit-usage-of-md5-in-multiprocessing.patch: Patch to multiprocessing.connection to specify which hash algorithm to use

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2013-02-20.20:11:36.540>
labels = ['3.7', 'library']
title = 'multiprocessing.connection challenge implicitly uses MD5'
updated_at = <Date 2020-06-04.17:22:43.520>
user = 'https://github.com/davidmalcolm'

bugs.python.org fields:

activity = <Date 2020-06-04.17:22:43.520>
actor = 'miss-islington'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2013-02-20.20:11:36.540>
creator = 'dmalcolm'
dependencies = []
files = ['29134']
hgrepos = []
issue_num = 17258
keywords = ['patch']
message_count = 7.0
messages = ['182547', '182550', '182553', '309103', '309134', '370705', '370717']
nosy_count = 7.0
nosy_names = ['barry', 'doko', 'pitrou', 'christian.heimes', 'dmalcolm', 'sbt', 'miss-islington']
pr_nums = ['16264', '20380', '20412', '20626']
priority = 'normal'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue17258'
versions = ['Python 3.7']

• PR: gh-61460: Switch multiprocessing socket auth to hmac-sha256 #99425

• PR: gh-61460: Add a comment describing the multiprocessing.connection protocol #99623

[davidmalcolm]

Within multiprocessing.connection, deliver_challenge() and
answer_challenge() use hmac for a challenge/response.

hmac implicitly defaults to using MD5.

MD5 should no longer be used for security purposes. See e.g.
http://www.kb.cert.org/vuls/id/836068

This fails in a FIPS-compliant environment (e.g. with the patches I
apply to hashlib in bpo-9216).

There's thus a possibility of an attacker defeating the multiprocessing
authenticator.

I'm attaching a patch which changes multiprocessing to use a clearly
identified algorithm (for the day when it needs changing again),
hardcoding it as "sha256"; presumably all processes within a
multiprocess program that share authkey can share the algorithm.

It's not clear to me whether hmac.py should also be changed (this would
seem to have tougher backwards-compat concerns).

[Note to self: I'm tracking this downstream for RHEL as
https://bugzilla.redhat.com/show_bug.cgi?id=879695 (this bug is
currently only visible to RH employees)]

[tiran]

The statement "MD5 should no longer be used for security purposes" is not entirely correct. MD5 should no longer be used as cryptographic hash function for signatures. However HMAC-MD5 is a different story.

From https://tools.ietf.org/html/rfc6151

The attacks on HMAC-MD5 do not seem to indicate a practical
vulnerability when used as a message authentication code.
[...]
Therefore, it may not be urgent to remove HMAC-MD5 from the existing
protocols. However, since MD5 must not be used for digital
signatures, for a new protocol design, a ciphersuite with HMAC-MD5
should not be included.

I agree that we should slowly migrate to a more modern MAC such as HMAC-SHA256. AES-CBC is too hard to get right and most AES implementation are vulnerable to timing attacks, too.

How about we include the name of the MAC in multiprocessing's wire protocol and define "no MAC name given" as HMAC-MD5? Please don't call it SHA256 but HMAC-SHA256, too.

[sbt]

Banning md5 as a matter of policy may be perfectly sensible.

However, I think the way multiprocessing uses hmac authentication is *not* affected by the collision attacks the advisory talks about. These depend on the attacker being able to determine for himself whether a particular candidate string is a "solution".

But with the way multiprocessing uses hmac authentication there is no way for the attacker to check for himself whether a candidate string has the desired hash: he does not know what the desired hash value is, or even what the hash function is. (The effective hash function, though built on top of md5, depends on the secret key.)

[tiran]

Dave, are you still interested to address the issue?

I think it's a good idea to replace HMAC-MD5 in the long run. But instead of hard-coding another hash algorithm, I would like to see an improved handshake protocol that supports flexible authentication algorithms. You could send an algorithm indicator (e.g. HMAC_SHA256) in the request.

It would be really cool to run multiprocessing protocol over TLS with support for SASL with SCRAM or EXTERNAL (TLS cert auth, AF_UNIX PEERCRED, GSSAPI)...

[pitrou]

Indeed, we probably want a flexible handshake mechanism. This needn't be very optimized: probably a magic number followed by a JSON-encoded dict is sufficient.

(of course, several years down the road, someone will engineer a downgrade attack)

[miss-islington]

New changeset b022e5c by Christian Heimes in branch 'master':
bpo-17258: Add requires_hashdigest to multiprocessing tests (GH-20412)
b022e5c

[miss-islington]

New changeset 196810a by Miss Islington (bot) in branch '3.9':
bpo-17258: Add requires_hashdigest to multiprocessing tests (GH-20412)
196810a

[gpshead]

This isn't something to backport to a release as what we've got isn't broken. Changing this is a feature.

[gpshead]

So #20380 is a more complicated version of my draft PR above. In other PRs and issues related to this in the past, I see one claim by @tiran in particular that bothers me - #16264 (comment) - "The change breaks backward compatibility. multiprocessing supports distributed computing across multiple machines and works with multiple Python versions. With the change a controller with Python 3.N+1 would no longer be able to talk to a 3.N server or the other way around."

What evidence is there that multi-python-version use of multiprocessing rather than use as a single Python process launching and controlling a bunch of children is a supported use case? People really should not be using multiprocessing that way. This isn't a distributed computing system.

[CAM-Gerlach]

Just to note, this came up again, in #100755 , an apparent duplicate of this issue

[gpshead]

3.12beta1 is going out using hmac-sha256 by default with the above PR merge.