| 1 |
Blake2 is in coreutils already, provides an excellent security margin, and |
| 2 |
is considerably faster than both sha2 and sha3. |
| 3 |
|
| 4 |
On Oct 19, 2017 21:09, "Michał Górny" <mgorny@g.o> wrote: |
| 5 |
|
| 6 |
> Hi, everyone. |
| 7 |
> |
| 8 |
> The previous discussion on Manifest2 hashes pretty much died away |
| 9 |
> pending fixes to Portage. Since Portage was fixed a while ago, and we |
| 10 |
> can now safely switch, I'd like to reboot the discussion before |
| 11 |
> submitting the item for the next Council meeting. |
| 12 |
> |
| 13 |
> Considering all arguments made so far, I'd like to propose changing: |
| 14 |
> |
| 15 |
> manifest-hashes = SHA256 SHA512 WHIRLPOOL |
| 16 |
> |
| 17 |
> to: |
| 18 |
> |
| 19 |
> manifest-hashes = SHA512 SHA3_512 |
| 20 |
> |
| 21 |
> In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. |
| 22 |
> |
| 23 |
> |
| 24 |
> Rationale |
| 25 |
> --------- |
| 26 |
> |
| 27 |
> 1. The main argument for using multiple hashes is to prevent the (very |
| 28 |
> unlikely) possibility that if a weakness is discovered in one of |
| 29 |
> the hashes, the other would still hold. This is given by using two |
| 30 |
> algorithms; more than two do not increase security significantly, while |
| 31 |
> they do increase performance cost. |
| 32 |
> |
| 33 |
> 2. For the above to hold, the hashes should be diverse. SHA256 |
| 34 |
> and SHA512 are the same algorithm, so a weakness discovered in either |
| 35 |
> would probably apply to both -- keeping both does not make sense at all. |
| 36 |
> Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so |
| 37 |
> a weakness in the construct would apply to both. |
| 38 |
> |
| 39 |
> 3. Keeping one of the three old hashes is necessary for compatibility |
| 40 |
> reasons. Furthermore, the current versions of Portage consider SHA512 |
| 41 |
> obligatory, so we can't remove it without redesigning Portage first |
| 42 |
> (though I think this applies only to developer installs, i.e. those |
| 43 |
> creating Manifests). |
| 44 |
> |
| 45 |
> 4. The new hashes that are stronger and commonly available are |
| 46 |
> SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from |
| 47 |
> our current algorithms, so either is a good candidate. The choice of |
| 48 |
> Keccak is purely arbitrary (because it's the winner?). |
| 49 |
> |
| 50 |
> All the above considered, I think it's most reasonable to use two hashes |
| 51 |
> with diverse constructs. SHA512 needs to be one of them, for |
| 52 |
> compatibility reasons. The other could be either SHA3_512 or BLAKE2B, |
| 53 |
> as a strong, future-proof hash. SHA3 is probably a better choice because |
| 54 |
> it's going to have more support as the official recommendation. |
| 55 |
> |
| 56 |
> -- |
| 57 |
> Best regards, |
| 58 |
> Michał Górny |
| 59 |
> |
| 60 |
> |
| 61 |
> |
Archives