1 |
Hello, |
2 |
|
3 |
On Thu, Oct 19, 2017 at 2:08 PM, Michał Górny <mgorny@g.o> wrote: |
4 |
> Hi, everyone. |
5 |
> |
6 |
> The previous discussion on Manifest2 hashes pretty much died away |
7 |
> pending fixes to Portage. Since Portage was fixed a while ago, and we |
8 |
> can now safely switch, I'd like to reboot the discussion before |
9 |
> submitting the item for the next Council meeting. |
10 |
> |
11 |
> Considering all arguments made so far, I'd like to propose changing: |
12 |
> |
13 |
> manifest-hashes = SHA256 SHA512 WHIRLPOOL |
14 |
> |
15 |
> to: |
16 |
> |
17 |
> manifest-hashes = SHA512 SHA3_512 |
18 |
> |
19 |
> In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. |
20 |
> |
21 |
|
22 |
In general I do not mind updating the algorithms used, but I do feel |
23 |
it is important to keep at least three present. Without at least three |
24 |
(or a larger odd number) it is not possible to break a tie. |
25 |
|
26 |
That may ultimately be beside the point, as any invalid hashes should |
27 |
result in the user contacting the developers or doing something else, |
28 |
but it is hard to know. |
29 |
|
30 |
> |
31 |
> Rationale |
32 |
> --------- |
33 |
> |
34 |
> 1. The main argument for using multiple hashes is to prevent the (very |
35 |
> unlikely) possibility that if a weakness is discovered in one of |
36 |
> the hashes, the other would still hold. This is given by using two |
37 |
> algorithms; more than two do not increase security significantly, while |
38 |
> they do increase performance cost. |
39 |
> |
40 |
> 2. For the above to hold, the hashes should be diverse. SHA256 |
41 |
> and SHA512 are the same algorithm, so a weakness discovered in either |
42 |
> would probably apply to both -- keeping both does not make sense at all. |
43 |
> Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so |
44 |
> a weakness in the construct would apply to both. |
45 |
> |
46 |
|
47 |
Algorithms of different block sizes can easily have different |
48 |
cryptographic properties. |
49 |
|
50 |
Notable is https://en.wikipedia.org/wiki/Advanced_Encryption_Standard, |
51 |
see box. More relevant is https://en.wikipedia.org/wiki/SHA-2. |
52 |
|
53 |
In general only the computational complexity is affected, but in the |
54 |
case of AES some attacks work for the larger key lengths that do not |
55 |
work for smaller ones. There is one other case I am having problems |
56 |
remembering where a longer keylength led to a massively easier to |
57 |
attack function. |
58 |
|
59 |
For SHA3_512, I am worried that some of the novel properties of the |
60 |
function that do not currently lead to attacks may in the future lead |
61 |
to attacks. |
62 |
|
63 |
> 3. Keeping one of the three old hashes is necessary for compatibility |
64 |
> reasons. Furthermore, the current versions of Portage consider SHA512 |
65 |
> obligatory, so we can't remove it without redesigning Portage first |
66 |
> (though I think this applies only to developer installs, i.e. those |
67 |
> creating Manifests). |
68 |
> |
69 |
> 4. The new hashes that are stronger and commonly available are |
70 |
> SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from |
71 |
> our current algorithms, so either is a good candidate. The choice of |
72 |
> Keccak is purely arbitrary (because it's the winner?). |
73 |
> |
74 |
> All the above considered, I think it's most reasonable to use two hashes |
75 |
> with diverse constructs. SHA512 needs to be one of them, for |
76 |
> compatibility reasons. The other could be either SHA3_512 or BLAKE2B, |
77 |
> as a strong, future-proof hash. SHA3 is probably a better choice because |
78 |
> it's going to have more support as the official recommendation. |
79 |
> |
80 |
|
81 |
I would like to present my suggestions: |
82 |
|
83 |
SHA512, (RIPEMD160 | WHIRLPOOL | BLAKE2B), (SHA3_512 | BLAKE2B); |
84 |
|
85 |
or more definitively: |
86 |
|
87 |
SHA512, RIPEMD160, BLAKE2B. |
88 |
|
89 |
My understanding is that whirlpool is the least secure of the 512 bit |
90 |
hashes, but it would still be a serious undertaking to generate a |
91 |
collision. If there is any cause to replace it RIPEMD160 is likely a |
92 |
good candidate. It is similar in operation to the SHA1/2 functions but |
93 |
was produced by the academic community and is quite dissimilar from |
94 |
the SHA1/2 family. The "definitive" suggestions provide a wide sample |
95 |
of time, size, and implementation. |
96 |
|
97 |
SHA3_512 is novel and may be resistant to attack in ways the others |
98 |
are not, but it is my opinion that BLAKE2B's author is better known |
99 |
and respected. |
100 |
|
101 |
I could also see the combination SHA512, BLAKE2B, SHA3_512 being |
102 |
desirable, as that selection represents 3 very diverse algorithms. |
103 |
|
104 |
If the suggestion of RIPEMD160 seems odd, realize that some |
105 |
distribution platforms still use MD5 along with other functions. It is |
106 |
fast to compute and with another hash function quite credible. If the |
107 |
time taken to generate the hashes is a legitimate concern then using a |
108 |
older, simpler, and heavily optimized function may be better for one |
109 |
of the choices. |
110 |
|
111 |
Respectfully, |
112 |
R0b0t1 |