1 |
Hi Robin, |
2 |
|
3 |
On Wed, Apr 06, 2022 at 05:31:09PM +0000, Robin H. Johnson wrote: |
4 |
> On Wed, Apr 06, 2022 at 07:06:30PM +0200, Jason A. Donenfeld wrote: |
5 |
> > No, you're still missing the point. |
6 |
> > |
7 |
> > If SHA-512 breaks, the security of the system fails, regardless of |
8 |
> > what change we make. This is because GnuPG uses SHA-512 for its |
9 |
> > signatures. |
10 |
> Question directly for you Jason, because you make a professional study |
11 |
> of this: does the type of breakage/successful attack against against |
12 |
> SHA-512 matter? |
13 |
> |
14 |
> e.g. is it possible that some type of attack would only work against the |
15 |
> Manifest entry, but NOT against the GPG signature's embedded SHA-512 (or |
16 |
> the opposite). |
17 |
> |
18 |
> The best hypothetical idea I had was that there exists some large |
19 |
> special input that lets an attacker reset the output to an arbitrary |
20 |
> hash after their malicious payload: but it wouldn't fit in the GPG |
21 |
> signature space. |
22 |
|
23 |
Generally speaking, the more control an attacker has over the input, the |
24 |
easier certain types of attacks might be. So maybe in the most general |
25 |
sense that applies. I wouldn't model a security analysis around that, |
26 |
though. Rather, the usual way to apply that sort of thinking is to |
27 |
design algorithms that rely on certain properties of hash functions, but |
28 |
not others; for example, Ed25519 does not rely on the hash function |
29 |
being collision resistant due to its construction. |
30 |
|
31 |
Jason |