| 1 |
Hello, |
| 2 |
|
| 3 |
On Thu, Oct 19, 2017 at 2:08 PM, Michał Górny <mgorny@g.o> wrote: |
| 4 |
> Hi, everyone. |
| 5 |
> |
| 6 |
> The previous discussion on Manifest2 hashes pretty much died away |
| 7 |
> pending fixes to Portage. Since Portage was fixed a while ago, and we |
| 8 |
> can now safely switch, I'd like to reboot the discussion before |
| 9 |
> submitting the item for the next Council meeting. |
| 10 |
> |
| 11 |
> Considering all arguments made so far, I'd like to propose changing: |
| 12 |
> |
| 13 |
> manifest-hashes = SHA256 SHA512 WHIRLPOOL |
| 14 |
> |
| 15 |
> to: |
| 16 |
> |
| 17 |
> manifest-hashes = SHA512 SHA3_512 |
| 18 |
> |
| 19 |
> In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. |
| 20 |
> |
| 21 |
|
| 22 |
In general I do not mind updating the algorithms used, but I do feel |
| 23 |
it is important to keep at least three present. Without at least three |
| 24 |
(or a larger odd number) it is not possible to break a tie. |
| 25 |
|
| 26 |
That may ultimately be beside the point, as any invalid hashes should |
| 27 |
result in the user contacting the developers or doing something else, |
| 28 |
but it is hard to know. |
| 29 |
|
| 30 |
> |
| 31 |
> Rationale |
| 32 |
> --------- |
| 33 |
> |
| 34 |
> 1. The main argument for using multiple hashes is to prevent the (very |
| 35 |
> unlikely) possibility that if a weakness is discovered in one of |
| 36 |
> the hashes, the other would still hold. This is given by using two |
| 37 |
> algorithms; more than two do not increase security significantly, while |
| 38 |
> they do increase performance cost. |
| 39 |
> |
| 40 |
> 2. For the above to hold, the hashes should be diverse. SHA256 |
| 41 |
> and SHA512 are the same algorithm, so a weakness discovered in either |
| 42 |
> would probably apply to both -- keeping both does not make sense at all. |
| 43 |
> Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so |
| 44 |
> a weakness in the construct would apply to both. |
| 45 |
> |
| 46 |
|
| 47 |
Algorithms of different block sizes can easily have different |
| 48 |
cryptographic properties. |
| 49 |
|
| 50 |
Notable is https://en.wikipedia.org/wiki/Advanced_Encryption_Standard, |
| 51 |
see box. More relevant is https://en.wikipedia.org/wiki/SHA-2. |
| 52 |
|
| 53 |
In general only the computational complexity is affected, but in the |
| 54 |
case of AES some attacks work for the larger key lengths that do not |
| 55 |
work for smaller ones. There is one other case I am having problems |
| 56 |
remembering where a longer keylength led to a massively easier to |
| 57 |
attack function. |
| 58 |
|
| 59 |
For SHA3_512, I am worried that some of the novel properties of the |
| 60 |
function that do not currently lead to attacks may in the future lead |
| 61 |
to attacks. |
| 62 |
|
| 63 |
> 3. Keeping one of the three old hashes is necessary for compatibility |
| 64 |
> reasons. Furthermore, the current versions of Portage consider SHA512 |
| 65 |
> obligatory, so we can't remove it without redesigning Portage first |
| 66 |
> (though I think this applies only to developer installs, i.e. those |
| 67 |
> creating Manifests). |
| 68 |
> |
| 69 |
> 4. The new hashes that are stronger and commonly available are |
| 70 |
> SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from |
| 71 |
> our current algorithms, so either is a good candidate. The choice of |
| 72 |
> Keccak is purely arbitrary (because it's the winner?). |
| 73 |
> |
| 74 |
> All the above considered, I think it's most reasonable to use two hashes |
| 75 |
> with diverse constructs. SHA512 needs to be one of them, for |
| 76 |
> compatibility reasons. The other could be either SHA3_512 or BLAKE2B, |
| 77 |
> as a strong, future-proof hash. SHA3 is probably a better choice because |
| 78 |
> it's going to have more support as the official recommendation. |
| 79 |
> |
| 80 |
|
| 81 |
I would like to present my suggestions: |
| 82 |
|
| 83 |
SHA512, (RIPEMD160 | WHIRLPOOL | BLAKE2B), (SHA3_512 | BLAKE2B); |
| 84 |
|
| 85 |
or more definitively: |
| 86 |
|
| 87 |
SHA512, RIPEMD160, BLAKE2B. |
| 88 |
|
| 89 |
My understanding is that whirlpool is the least secure of the 512 bit |
| 90 |
hashes, but it would still be a serious undertaking to generate a |
| 91 |
collision. If there is any cause to replace it RIPEMD160 is likely a |
| 92 |
good candidate. It is similar in operation to the SHA1/2 functions but |
| 93 |
was produced by the academic community and is quite dissimilar from |
| 94 |
the SHA1/2 family. The "definitive" suggestions provide a wide sample |
| 95 |
of time, size, and implementation. |
| 96 |
|
| 97 |
SHA3_512 is novel and may be resistant to attack in ways the others |
| 98 |
are not, but it is my opinion that BLAKE2B's author is better known |
| 99 |
and respected. |
| 100 |
|
| 101 |
I could also see the combination SHA512, BLAKE2B, SHA3_512 being |
| 102 |
desirable, as that selection represents 3 very diverse algorithms. |
| 103 |
|
| 104 |
If the suggestion of RIPEMD160 seems odd, realize that some |
| 105 |
distribution platforms still use MD5 along with other functions. It is |
| 106 |
fast to compute and with another hash function quite credible. If the |
| 107 |
time taken to generate the hashes is a legitimate concern then using a |
| 108 |
older, simpler, and heavily optimized function may be better for one |
| 109 |
of the choices. |
| 110 |
|
| 111 |
Respectfully, |
| 112 |
R0b0t1 |
Archives