RFC: Modern digests for buster (BLAKE2?)
(summary)
For buster, we should take a look at strengthening our security by employing
a more modern digest algorithm than SHA2. While SHA2 is not really threatened
yet, adding a more modern hash algorithm now allows us to future proof our
tools.
Performance evaluation
----------------------
I calculated digests for a 1.6 GB large file on an Ivy Bridge laptop.
amd64 runtime
SHA3-256 (gcrypt): 6.2 seconds
SHA3-512 (gcrypt): 11.4 seconds
BLAKE2S-256: 4.5 seconds (i386: 5.3 seconds)
BLAKE2B-512: 2.9 seconds
BLAKE2B-256: 2.9 seconds (i386: 10.6 seconds)
MD5: 3.0 seconds
SHA1: 3.7 seconds
SHA256: 10.3 seconds
SHA512: 6.2 seconds
As we can see on amd64, SHA3 is a horrible choice performance wise. BLAKE2B performs
better than the MD5 and SHA1 implementations in APT, and is only 3 files
large - these can be copied into the apt source tree without modification.
The benchmarks are slightly different WRT I/O: The APT ones use APT's
AddFd() method and apt's file fd, the blake2 and gcrypt ones use a simple
loop with fread() adding 32K bytes to the digest per iteration.
Proposal
----------
I propose that we choose BLAKE2b or BLAKE2s based on these preliminary
results, and allow lengths of 256 and 512 bits. This results in fields
"BLAKE2b-512" and "BLAKE2b-256" (or the s variant).
Compatibility requirements:
1. Clients SHOULD support both 512 and 256 bit BLAKE2 hashes, and MUST
validate at least the strongest specified one.
2. Servers SHOULD provide either one, but MUST also provide a SHA256
or SHA512 value.
Furthermore, the spec wording:
"Clients may not use the MD5Sum and SHA1 fields for security purposes, and must require
a SHA256 or a SHA512 field."
is changed to allow validating files containing no SHA2 hashes:
"Clients may not use the MD5Sum and SHA1 fields for security purposes; they must require
a SHA256, SHA512, BLAKE2b-256, or BLAKE2b-512 field."
(or blake2s, whatever we pick)
TODO
----
Completely embed blake2 into apt and re-run the blake2 benchmarks
with the integrated blake2 (performance is likely the same, we are
using exactly the files we would embed).
Run the benchmark on other architectures than amd64.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
| Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.
Reply to: