| 1 |
Hi Ulrich, |
| 2 |
|
| 3 |
On Tue, Apr 5, 2022 at 10:15 PM Ulrich Mueller <ulm@g.o> wrote: |
| 4 |
> |
| 5 |
> >>>>> On Tue, 05 Apr 2022, Jason A Donenfeld wrote: |
| 6 |
> |
| 7 |
> > Huh. Something not brought up there or https://bugs.gentoo.org/784710 |
| 8 |
> > is the fact that the _security_ of the system reduces to SHA-512 as |
| 9 |
> > used by our GPG signatures. |
| 10 |
> |
| 11 |
> The hash algorithm would be the least of my concerns about the security |
| 12 |
> of these signatures. |
| 13 |
> |
| 14 |
> IIUC, the secret signing key is stored on a machine that is connected to |
| 15 |
> the network (Infra, please correct me if I'm wrong). So there are other |
| 16 |
> more likely attack vectors than a preimage attack on a 512 bit hash |
| 17 |
> function. |
| 18 |
|
| 19 |
You missed the point, which is that having two hashes, SHA512 and |
| 20 |
BLAKE2b, doesn't actually help anything, since an attacker only must |
| 21 |
attack SHA512 in order to break the signature system, which is |
| 22 |
actually what we're relying on for security. Yes there are other |
| 23 |
attacks too on the signature system. But in terms of hashing, my point |
| 24 |
is that adding an additional hash to manifest files to the one used by |
| 25 |
the signature doesn't help anything from a security perspective, since |
| 26 |
if you have an attack on the signature's hash, then no additional |
| 27 |
hashing is going to actually help. |
| 28 |
|
| 29 |
Jason |
Archives