RFC: Modern digests for buster (BLAKE2?)

To: deity@lists.debian.org
Subject: RFC: Modern digests for buster (BLAKE2?)
From: Julian Andres Klode <jak@debian.org>
Date: Fri, 24 Feb 2017 02:46:53 +0100
Message-id: <[🔎] 20170224022913.GA6416@debian.org>
Mail-followup-to: deity@lists.debian.org

(summary)

For buster, we should take a look at strengthening our security by employing
a more modern digest algorithm than SHA2. While SHA2 is not really threatened
yet, adding a more modern hash algorithm now allows us to future proof our
tools.

Performance evaluation
----------------------
I calculated digests for a 1.6 GB large file on an Ivy Bridge laptop.

                       amd64 runtime
SHA3-256 (gcrypt):     6.2 seconds
SHA3-512 (gcrypt):    11.4 seconds
BLAKE2S-256:           4.5 seconds (i386:  5.3 seconds)
BLAKE2B-512:           2.9 seconds
BLAKE2B-256:           2.9 seconds (i386: 10.6 seconds)
MD5:                   3.0 seconds
SHA1:                  3.7 seconds
SHA256:               10.3 seconds
SHA512:                6.2 seconds

As we can see on amd64, SHA3 is a horrible choice performance wise. BLAKE2B performs
better than the MD5 and SHA1 implementations in APT, and is only 3 files
large - these can be copied into the apt source tree without modification.

The benchmarks are slightly different WRT I/O: The APT ones use APT's
AddFd() method and apt's file fd, the blake2 and gcrypt ones use a simple
loop with fread() adding 32K bytes to the digest per iteration.

Proposal
----------
I propose that we choose BLAKE2b or BLAKE2s based on these preliminary
results, and allow lengths of 256 and 512 bits. This results in fields
"BLAKE2b-512" and "BLAKE2b-256" (or the s variant).

Compatibility requirements: 

1. Clients SHOULD support both 512 and 256 bit BLAKE2 hashes, and MUST
   validate at least the strongest specified one.
2. Servers SHOULD provide either one, but MUST also provide a SHA256
   or SHA512 value.

Furthermore, the spec wording:
"Clients may not use the MD5Sum and SHA1 fields for security purposes, and must require
 a SHA256 or a SHA512 field."
is changed to allow validating files containing no SHA2 hashes:
"Clients may not use the MD5Sum and SHA1 fields for security purposes; they must require 
 a SHA256, SHA512, BLAKE2b-256, or BLAKE2b-512 field."
(or blake2s, whatever we pick)

TODO
----
Completely embed blake2 into apt and re-run the blake2 benchmarks
with the integrated blake2 (performance is likely the same, we are
using exactly the files we would embed).

Run the benchmark on other architectures than amd64.
-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

Reply to:

Prev by Date: Bug#855891: upgrade removes packages
Next by Date: Bug#849636: apt-daily: do not use pidof
Previous by thread: Bug#855937: apt-get's error messages don't include its name.
Next by thread: Bug#849636: apt-daily: do not use pidof
Index(es):
- Date
- Thread