From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 028B41396D9 for ; Thu, 19 Oct 2017 19:08:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3FADD2BC07C; Thu, 19 Oct 2017 19:08:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CE93B2BC049 for ; Thu, 19 Oct 2017 19:08:46 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id E1C0833BF0B; Thu, 19 Oct 2017 19:08:44 +0000 (UTC) Message-ID: <1508440120.19870.14.camel@gentoo.org> Subject: [gentoo-dev] Manifest2 hashes, take n+1-th From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev Date: Thu, 19 Oct 2017 21:08:40 +0200 Organization: Gentoo Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: b979e758-0f39-4209-a58e-9fd33e54a73c X-Archives-Hash: f2321ebb659d15fd8d1f0188c3f80c74 Hi, everyone. The previous discussion on Manifest2 hashes pretty much died away pending fixes to Portage. Since Portage was fixed a while ago, and we can now safely switch, I'd like to reboot the discussion before submitting the item for the next Council meeting. Considering all arguments made so far, I'd like to propose changing: manifest-hashes = SHA256 SHA512 WHIRLPOOL to: manifest-hashes = SHA512 SHA3_512 In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. Rationale --------- 1. The main argument for using multiple hashes is to prevent the (very unlikely) possibility that if a weakness is discovered in one of the hashes, the other would still hold. This is given by using two algorithms; more than two do not increase security significantly, while they do increase performance cost. 2. For the above to hold, the hashes should be diverse. SHA256 and SHA512 are the same algorithm, so a weakness discovered in either would probably apply to both -- keeping both does not make sense at all. Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so a weakness in the construct would apply to both. 3. Keeping one of the three old hashes is necessary for compatibility reasons. Furthermore, the current versions of Portage consider SHA512 obligatory, so we can't remove it without redesigning Portage first (though I think this applies only to developer installs, i.e. those creating Manifests). 4. The new hashes that are stronger and commonly available are SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from our current algorithms, so either is a good candidate. The choice of Keccak is purely arbitrary (because it's the winner?). All the above considered, I think it's most reasonable to use two hashes with diverse constructs. SHA512 needs to be one of them, for compatibility reasons. The other could be either SHA3_512 or BLAKE2B, as a strong, future-proof hash. SHA3 is probably a better choice because it's going to have more support as the official recommendation. -- Best regards, Michał Górny