| 1 |
On Wed, Apr 06, 2022 at 07:06:30PM +0200, Jason A. Donenfeld wrote: |
| 2 |
> No, you're still missing the point. |
| 3 |
> |
| 4 |
> If SHA-512 breaks, the security of the system fails, regardless of |
| 5 |
> what change we make. This is because GnuPG uses SHA-512 for its |
| 6 |
> signatures. |
| 7 |
Question directly for you Jason, because you make a professional study |
| 8 |
of this: does the type of breakage/successful attack against against |
| 9 |
SHA-512 matter? |
| 10 |
|
| 11 |
e.g. is it possible that some type of attack would only work against the |
| 12 |
Manifest entry, but NOT against the GPG signature's embedded SHA-512 (or |
| 13 |
the opposite). |
| 14 |
|
| 15 |
The best hypothetical idea I had was that there exists some large |
| 16 |
special input that lets an attacker reset the output to an arbitrary |
| 17 |
hash after their malicious payload: but it wouldn't fit in the GPG |
| 18 |
signature space. |
| 19 |
|
| 20 |
> |
| 21 |
> So I'll spell out the different possibilities: |
| 22 |
> 1) GPG uses SHA-512. Manifest uses SHA-512 and BLAKE2b. |
| 23 |
score -1 + 0 = -1 |
| 24 |
> 2) GPG uses SHA-512. Manifest uses SHA-512. |
| 25 |
score -1 + 0 = -1 |
| 26 |
> 3) GPG uses SHA-512. Manifest uses BLAKE2b. |
| 27 |
score -1 + -1 = -2 |
| 28 |
> See how from a security perspective, (2) is not worse than (1), but |
| 29 |
> (3) is worse than both (1) and (2)? |
| 30 |
Yes, (2) is not worse than (1) for the overall security perspective. |
| 31 |
That leaves the discussion does (1) have other benefits / value |
| 32 |
propositions that make it worth less than (2). (see my other thread) |
| 33 |
|
| 34 |
-- |
| 35 |
Robin Hugh Johnson |
| 36 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 37 |
E-Mail : robbat2@g.o |
| 38 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 39 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives