1 |
On Wed, Apr 06, 2022 at 07:06:30PM +0200, Jason A. Donenfeld wrote: |
2 |
> No, you're still missing the point. |
3 |
> |
4 |
> If SHA-512 breaks, the security of the system fails, regardless of |
5 |
> what change we make. This is because GnuPG uses SHA-512 for its |
6 |
> signatures. |
7 |
Question directly for you Jason, because you make a professional study |
8 |
of this: does the type of breakage/successful attack against against |
9 |
SHA-512 matter? |
10 |
|
11 |
e.g. is it possible that some type of attack would only work against the |
12 |
Manifest entry, but NOT against the GPG signature's embedded SHA-512 (or |
13 |
the opposite). |
14 |
|
15 |
The best hypothetical idea I had was that there exists some large |
16 |
special input that lets an attacker reset the output to an arbitrary |
17 |
hash after their malicious payload: but it wouldn't fit in the GPG |
18 |
signature space. |
19 |
|
20 |
> |
21 |
> So I'll spell out the different possibilities: |
22 |
> 1) GPG uses SHA-512. Manifest uses SHA-512 and BLAKE2b. |
23 |
score -1 + 0 = -1 |
24 |
> 2) GPG uses SHA-512. Manifest uses SHA-512. |
25 |
score -1 + 0 = -1 |
26 |
> 3) GPG uses SHA-512. Manifest uses BLAKE2b. |
27 |
score -1 + -1 = -2 |
28 |
> See how from a security perspective, (2) is not worse than (1), but |
29 |
> (3) is worse than both (1) and (2)? |
30 |
Yes, (2) is not worse than (1) for the overall security perspective. |
31 |
That leaves the discussion does (1) have other benefits / value |
32 |
propositions that make it worth less than (2). (see my other thread) |
33 |
|
34 |
-- |
35 |
Robin Hugh Johnson |
36 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
37 |
E-Mail : robbat2@g.o |
38 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
39 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |