Open JeffreySarnoff opened 9 years ago
LachlanGunn
commented
9 years ago I think you may be mistaken---SHA-1 isn't a family, it's a single 160-bit hash function. SHA-512 is one of the SHA-2 hash functions.
I looked into SHA-3 as I haven't seen it used before, but it seems that it isn't recommended as a replacement for SHA-2 at the moment, but instead as an alternative in case SHA-2 ends up getting broken. Do you have any particular thoughts on the matter, though?
LachlanGunn
commented
9 years ago Here's the document that I was looking for:
http://csrc.nist.gov/groups/ST/hash/policy.htmlThanks for opening these issues, by the way, I really appreciate the review.
JeffreySarnoff
commented
9 years ago My mistake, still -- I have seen writings about SHA512 not being entirely wonderful. Without looking hard, http://security.stackexchange.com/questions/52041/is-using-sha-512-for-storing-passwords-tolerable has some alternative approaches (I am not vouching for the author's street creds). Maybe you are familiar with that.
My general perspective is that given the effort, it is worthwhile being ahead of the curve. There is real benefit to Julia (as I see it) in being able to say these packages are highly likely to be (a) untampered (b) run securely. I am not a security code expert -- I do like secure code.
Thank you for your work.
On Tue, Dec 1, 2015 at 4:04 AM, Lachlan Gunn notifications@github.com wrote:
I think you may be mistaken---SHA-1 isn't a family, it's a single 160-bit hash function. SHA-512 is one of the SHA-2 hash functions.
I looked into SHA-3 as I haven't seen it used before, but it seems that it isn't recommended as a replacement for SHA-2 at the moment, but instead as an alternative in case SHA-2 ends up getting broken. Do you have any particular thoughts on the matter, though?
— Reply to this email directly or view it on GitHub https://github.com/LachlanGunn/PkgVerifierPrototype/issues/2#issuecomment-160899915 .
LachlanGunn
commented
9 years ago Thanks for the link. Using a hash function for password storage is a somewhat different kettle of fish, the reason being that the attack you are trying to protect against is an attacker who tries to brute-force all the common passwords. So you want the hash function to be reasonably slow to compute, like bcrypt and scrypt are.
The problem that they talk about in the link that you gave is essentially that hash functions like MD-* and SHA-(1|2|3) are all designed for high speed, which means an attacker trying to reverse the hash function can try a lot of different passwords. But this has no bearing on collision resistance, which is what we care about.
The risk with SHA-3 is that it is still newish, whereas SHA-2 has already received a lot of attention and so surprises are less likely. Also SHA-2 is faster in software, which is obviously a good thing for our application.
JeffreySarnoff
commented
9 years ago ok
On Tue, Dec 1, 2015 at 4:56 AM, Lachlan Gunn notifications@github.com wrote:
Thanks for the link. Using a hash function for password storage is a somewhat different kettle of fish, the reason being that the attack you are trying to protect against is an attacker who tries to brute-force all the common passwords. So you want the hash function to be reasonably slow to compute, like bcrypt and scrypt are.
The problem that they talk about in the link that you gave is essentially that hash functions like MD-* and SHA-(1|2|3) are all designed for high speed, which means an attacker trying to reverse the hash function can try a lot of different passwords. But this has no bearing on collision resistance, which is what we care about.
The risk with SHA-3 is that it is still newish, whereas SHA-2 has already received a lot of attention and so surprises are less likely. Also SHA-2 is faster in software, which is obviously a good thing for our application.
— Reply to this email directly or view it on GitHub https://github.com/LachlanGunn/PkgVerifierPrototype/issues/2#issuecomment-160918291 .
SHA-512 is of the SHA1 family, which is going away in favor of the stronger SHA2 family. Prefer either an SHA2 implementation (about which see http://www.infoworld.com/article/2879073/security/all-you-need-to-know-about-the-move-to-sha-2-encryption.html or -- thought to be much stronger, an SHA3 implementation, q.v. https://github.com/gvanas/KeccakCodePackage.