1 |
Hi Ulrich, |
2 |
|
3 |
On Tue, Apr 5, 2022 at 10:15 PM Ulrich Mueller <ulm@g.o> wrote: |
4 |
> |
5 |
> >>>>> On Tue, 05 Apr 2022, Jason A Donenfeld wrote: |
6 |
> |
7 |
> > Huh. Something not brought up there or https://bugs.gentoo.org/784710 |
8 |
> > is the fact that the _security_ of the system reduces to SHA-512 as |
9 |
> > used by our GPG signatures. |
10 |
> |
11 |
> The hash algorithm would be the least of my concerns about the security |
12 |
> of these signatures. |
13 |
> |
14 |
> IIUC, the secret signing key is stored on a machine that is connected to |
15 |
> the network (Infra, please correct me if I'm wrong). So there are other |
16 |
> more likely attack vectors than a preimage attack on a 512 bit hash |
17 |
> function. |
18 |
|
19 |
You missed the point, which is that having two hashes, SHA512 and |
20 |
BLAKE2b, doesn't actually help anything, since an attacker only must |
21 |
attack SHA512 in order to break the signature system, which is |
22 |
actually what we're relying on for security. Yes there are other |
23 |
attacks too on the signature system. But in terms of hashing, my point |
24 |
is that adding an additional hash to manifest files to the one used by |
25 |
the signature doesn't help anything from a security perspective, since |
26 |
if you have an attack on the signature's hash, then no additional |
27 |
hashing is going to actually help. |
28 |
|
29 |
Jason |