Merge lp:~cjwatson/launchpad/digest-algo-sha512 into lp:launchpad
Proposed by
Colin Watson
Status: | Merged |
---|---|
Merged at revision: | 17952 |
Proposed branch: | lp:~cjwatson/launchpad/digest-algo-sha512 |
Merge into: | lp:launchpad |
Diff against target: |
158 lines (+48/-23) 2 files modified
lib/lp/services/gpg/handler.py (+9/-7) lib/lp/services/gpg/tests/test_gpghandler.py (+39/-16) |
To merge this branch: | bzr merge lp:~cjwatson/launchpad/digest-algo-sha512 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
William Grant | code | Approve | |
Review via email: mp+289052@code.launchpad.net |
Commit message
Use SHA-512 digests for GPG signing where possible.
Description of the change
Use SHA-512 digests for GPG signing where possible.
This may not work for 1024-bit DSA keys, but it will at least still continue to sign content as gpg falls back to a digest it can use. As far as I can tell, all the key types we've ever used as PPA signing keys can use SHA-512 digests.
To post a comment you must log in.
Colin - would you consider using SHA-384 instead?
Like SHA-512, SHA-384 uses the same 512-bit internal state size, but because SHA-384 only exposes 384 bits of of this internal state in the digest, it's immune to length extension attacks:
https:/ /en.wikipedia. org/wiki/ Length_ extension_ attack
From page 87 of *Cryptography Engineering* by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno:
"""
There is another fix to some of these weaknesses with the SHA-2 family of iterative hash functions: Truncate the output. If a hash function produces n-bit outputs, only use the first n - s bit as the hash value for some positive s. In fact, SHA-224 and SHA-384 both already do this; SHA-224 is roughly SHA-256 with 32 output bits dropped, and SHA-384 is roughly SHA-512 with 128 output bits dropped.
"""
They ultimately recommend using SHA-512 truncated to 256 bits (if you're going to use a SHA-2 hash), but that's not feasible in this case as GPG doesn't support truncated SHA-512.
In terms of standard SHA-2 family hash functions supported by GPG, SHA-384 is the best option in my opinion.
Note that I don't recommend SHA-224 as its 256-bit internal state size is too small by modern standards. SHA-384/SHA-512 are also considerably faster than SHA-224/SHA-256 when it comes to 64-bit software implementations.