On Wed, Apr 06, 2022 at 07:06:30PM +0200, Jason A. Donenfeld wrote: > No, you're still missing the point. > > If SHA-512 breaks, the security of the system fails, regardless of > what change we make. This is because GnuPG uses SHA-512 for its > signatures. Question directly for you Jason, because you make a professional study of this: does the type of breakage/successful attack against against SHA-512 matter?
e.g. is it possible that some type of attack would only work against the Manifest entry, but NOT against the GPG signature's embedded SHA-512 (or the opposite). The best hypothetical idea I had was that there exists some large special input that lets an attacker reset the output to an arbitrary hash after their malicious payload: but it wouldn't fit in the GPG signature space. > > So I'll spell out the different possibilities: > 1) GPG uses SHA-512. Manifest uses SHA-512 and BLAKE2b. score -1 + 0 = -1 > 2) GPG uses SHA-512. Manifest uses SHA-512. score -1 + 0 = -1 > 3) GPG uses SHA-512. Manifest uses BLAKE2b. score -1 + -1 = -2 > See how from a security perspective, (2) is not worse than (1), but > (3) is worse than both (1) and (2)? Yes, (2) is not worse than (1) for the overall security perspective. That leaves the discussion does (1) have other benefits / value propositions that make it worth less than (2). (see my other thread) -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
signature.asc
Description: PGP signature
