| 1 |
Hi Robin, |
| 2 |
|
| 3 |
On Wed, Apr 06, 2022 at 05:31:09PM +0000, Robin H. Johnson wrote: |
| 4 |
> On Wed, Apr 06, 2022 at 07:06:30PM +0200, Jason A. Donenfeld wrote: |
| 5 |
> > No, you're still missing the point. |
| 6 |
> > |
| 7 |
> > If SHA-512 breaks, the security of the system fails, regardless of |
| 8 |
> > what change we make. This is because GnuPG uses SHA-512 for its |
| 9 |
> > signatures. |
| 10 |
> Question directly for you Jason, because you make a professional study |
| 11 |
> of this: does the type of breakage/successful attack against against |
| 12 |
> SHA-512 matter? |
| 13 |
> |
| 14 |
> e.g. is it possible that some type of attack would only work against the |
| 15 |
> Manifest entry, but NOT against the GPG signature's embedded SHA-512 (or |
| 16 |
> the opposite). |
| 17 |
> |
| 18 |
> The best hypothetical idea I had was that there exists some large |
| 19 |
> special input that lets an attacker reset the output to an arbitrary |
| 20 |
> hash after their malicious payload: but it wouldn't fit in the GPG |
| 21 |
> signature space. |
| 22 |
|
| 23 |
Generally speaking, the more control an attacker has over the input, the |
| 24 |
easier certain types of attacks might be. So maybe in the most general |
| 25 |
sense that applies. I wouldn't model a security analysis around that, |
| 26 |
though. Rather, the usual way to apply that sort of thinking is to |
| 27 |
design algorithms that rely on certain properties of hash functions, but |
| 28 |
not others; for example, Ed25519 does not rely on the hash function |
| 29 |
being collision resistant due to its construction. |
| 30 |
|
| 31 |
Jason |
Archives