Welcome! Log In Create A New Profile

Re: How does Nginx look-up cached resource?

Forum List Message List New Topic Print View

Gena Makhomed

September 08, 2015 05:08PM

On 08.09.2015 4:41, Maxim Dounin wrote:

> On the other hand, it might be possible to simplify requirements
> of the attack by forcing some authenticated user to load data
> under a given key and then retrieve this key contents using a
> choosen prefix collision previously calculated.

Yes, $request_uri - full original request URI (with arguments)
Most backends ignore unknown request arguments without errors.

>> More secure and robust way is to store proxy_cache_key
>> value into cache file on disk and check this value
>> before sending cached response to client. In such way
>> we can be ensured, what cache misuse is not possible,
>> and may be even fast 128-bit secure hash functions
>> can be used, to minimize memory usage and CPU requirements.
>> SHA1 truncated to 128 bits or something better than SHA1,
>> or even leave current MD5 as is - for retaining backward
>> compatibility with existing installations around the world.
>
> May be you are right and checking full key value would be the most
> secure and efficient solution after all, especially keeping in
> mind backward compatibility.

Check full key is not my idea,
author of this idea is Sergey Brester.

Overhead for such additional full key value check should be minimal.
But this protect nginx users from any future bugs in hash functions.

Using 256-bit or 512-bit secure hash function requires more memory,
requires more CPU power and therefore it is not very good solution.

But I am still not sure which 128-bit secure hash functions
will be the best choice for nginx cache keys hash function.

For legacy CPUs MD5 faster, but for new CPUs SHA1 is faster
(this can be checked with "openssl speed md5 sha1" command)

Chosen-prefix collision attack on MD5 has compexity 2**50,
but 128-bit SHA-1 is more secure than MD5 for such attack.

128-bit SHA-1 is always better than MD5 for new CPUs,
and may be this hash should be used for nginx cache?

But may be SHAKE128 from SHA-3 is even more faster and more secure?
Currently is no known any collision/preimage attacks against SHAKE128.

https://godoc.org/golang.org/x/crypto/sha3

The SHAKE functions are recommended for most new uses. They can produce
output of arbitrary length. SHAKE256, with an output length of at least
64 bytes, provides 256-bit security against all attacks. The Keccak team
recommends it for most applications upgrading from SHA2-512. (NIST chose
a much stronger, but much slower, sponge instance for SHA3-512.)

=======================================================================

Replacing MD5 with other hash function will invalidate all old caches,
but this will be only one time performance degrade after nginx upgrade.

Choice between always using weak "secure" hash function and one time
cache invalidation IMHO should be resolved by replacing hash function.

IMHO, MD5 is worst, SHA1 is better and SHAKE128 is the best candidate.

============================

Do not use the MD5 algorithm

Software developers, Certification Authorities, website owners, and
users should avoid using the MD5 algorithm in any capacity. As previous
research has demonstrated, it should be considered cryptographically
broken and unsuitable for further use.

- http://www.kb.cert.org/vuls/id/836068

=======================================

--
Best regards,
Gena

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
How does Nginx look-up cached resource?	Shuxin Yang	946	September 03, 2015 09:40PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	311	September 04, 2015 09:24AM
Re: How does Nginx look-up cached resource?	Sergey Brester	353	September 04, 2015 11:38AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	342	September 04, 2015 02:12PM
Re: How does Nginx look-up cached resource?	Sergey Brester	452	September 04, 2015 02:58PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	302	September 04, 2015 03:44PM
Re: How does Nginx look-up cached resource?	Sergey Brester	340	September 04, 2015 05:02PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	347	September 05, 2015 08:10PM
Re: How does Nginx look-up cached resource?	Sergey Brester	390	September 07, 2015 09:36AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	365	September 07, 2015 12:20PM
Re: How does Nginx look-up cached resource?	Sergey Brester	305	September 07, 2015 12:34PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	367	September 04, 2015 05:22PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	331	September 05, 2015 09:58PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	312	September 07, 2015 10:46AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	297	September 07, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	436	September 07, 2015 03:30PM
Re: How does Nginx look-up cached resource?	Sergey Brester	408	September 07, 2015 05:24PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	562	September 07, 2015 07:20PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	482	September 07, 2015 09:42PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	444	September 08, 2015 05:08PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	471	September 09, 2015 01:18PM
Re: How does Nginx look-up cached resource?	Sergey Brester	341	September 10, 2015 05:58AM
Re: How does Nginx look-up cached resource?	Sergey Brester	335	September 10, 2015 08:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	360	September 10, 2015 10:48AM
Re: How does Nginx look-up cached resource?	Sergey Brester	324	September 10, 2015 11:08AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	327	September 10, 2015 11:34AM
Re: How does Nginx look-up cached resource?	Sergey Brester	336	September 10, 2015 11:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	350	September 10, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Sergey Brester	614	September 10, 2015 04:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 177

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018