[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Sat, Nov 26, 2005 at 10:59:57AM +0100, Florian Weimer wrote:
> * Anthony Towns:
>> On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote:
>>> * Anthony Towns:

>>> Moving away from MD5 is certainly not a bad idea, but it's not
>>> clear whether the alternatives are any better.  Sure, everyone
>>> recommends SHA-256 at this stage, but nobody can give a rationale.

>> MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256
>> (or higher) are significantly harder to break in practice,

> So?  If SHA256 is so much better, why is that nobody can prove it,
> or at least can provide some evidence which supports that claim?

The idea behind using SHA256 (or SHA512) is that we have more
_margin_. If we are targeting MD5's design security (2^64 against
collisions), even if SHA512 is "broken" significantly - say an attack
four times better than birthday - we still have our expected strength.

It is also the best we can get to *right* *now*, unless we escape to
humongous hash sizes (arithmetic-based designs).

>> and there's nothing better yet.

> In terms of security, there are some better hash functions.  But
> those are academic designs, most of them based on big integer
> arithmetic instead of bit fiddling.  Currently, nobody seems to be
> willing to pay the price that comes with them.

What this means is that your hashes will be as big as your asymmetric
keys, and hashing as slow as asymmetric cryptography. That's
significant.

They also seem to have deeply different security properties as far as
the user is concerned: the one I know, at least
(http://diswww.mit.edu/bloom-picayune/crypto/13190) relies (as
asymmetric crypto) on n a hard to factor product of two primes p and
q. The "security proof under assumption that factoring is hard" is
that if you generate a collision, you have factored n (roughly).

Now, what I don't get is who generates n and thus knows p and q and
thus _can_ generate collisions? Does everyone use his own n (and thus
everyone can generate collisions for the hash _he_ uses, but not for
the hash others use), do we use a trusted third party (that's a
_significantly_ different security model!) that publishes n?

(When I write n above, I obviously mean the pair (n,g), g element of
maximal order in Z/nZ.)

-- 
Lionel
Reply to: