All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Theodore Ts'o" <tytso@mit.edu>
To: Sandy Harris <sandyinchina@gmail.com>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
	netdev@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
	Geert Uytterhoeven <geert@linux-m68k.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Ard Biesheuvel <ardb@kernel.org>,
	Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>,
	Linux Crypto Mailing List <linux-crypto@vger.kernel.org>
Subject: Re: [PATCH RFC v1 0/3] remove remaining users of SHA-1
Date: Thu, 13 Jan 2022 12:28:49 -0500	[thread overview]
Message-ID: <YeBhUTPkmAnLQSzm@mit.edu> (raw)
In-Reply-To: <CACXcFmkauHRkTdD1zkr9QRCwG-uD8=7q9=Wk0_VFueRy-Oy+Nw@mail.gmail.com>

On Thu, Jan 13, 2022 at 11:24:10AM +0800, Sandy Harris wrote:
> Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> > There are currently two remaining users of SHA-1 left in the kernel: bpf
> > tag generation, and ipv6 address calculation.
> 
> I think there are three, since drivers/char/random.c also uses it.

This was changed as of commit 9f9eff85a008 ("random: use BLAKE2s
instead of SHA1 in extraction"), which just landed in Linus's tree.

> Moreover, there's some inefficiency there (or was last time I
> looked) since it produces a 160-bit hash then folds it in half
> to give an 80-bit output.

This dates back to very early days of the /dev/random driver, back
when all that was known about SHA-1 was that it was designed by the
NSA using classified design principles, and it had not yet been as
well studied outside of the halls of the NSA.  So folding the SHA-1
hash in half was done deliberately, since at the time, performance was
*not* the primary goal; security was.

(This was also back in the days when encryption algorithms would run
you into export control difficulties, since this is around the times
when the source code of PGP was being published in an OCR font with a
barcode containing the checksum of the content of every single page
was being published by the MIT press, and we were publishing Kerberos
with all of the *calls* to the crypto stripped out and calling it
"Bones" since there were assertions that code that *called*
cryptographic algoriothms might be subject to export control, even if
it didn't have any crypto algorithms in the program themselves.  This
is also why HMAC-based constructions were so popular.  People seem to
forget how much things have changed since the late 1980's....)

       	   	       	    	    	  - Ted

      parent reply	other threads:[~2022-01-13 17:29 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-12 13:12 [PATCH RFC v1 0/3] remove remaining users of SHA-1 Jason A. Donenfeld
2022-01-12 13:12 ` [PATCH RFC v1 1/3] bpf: move from sha1 to blake2s in tag calculation Jason A. Donenfeld
2022-01-12 22:56   ` Toke Høiland-Jørgensen
2022-01-13  1:33     ` Alexei Starovoitov
2022-01-13 12:27       ` Jason A. Donenfeld
2022-01-13 22:45         ` Alexei Starovoitov
2022-01-14  8:33           ` Geert Uytterhoeven
2022-01-14 14:12           ` Jason A. Donenfeld
2022-01-14 15:08             ` Ard Biesheuvel
2022-01-14 15:20               ` Jason A. Donenfeld
2022-01-14 15:36                 ` Geert Uytterhoeven
2022-01-14 15:59                 ` David Laight
2022-01-14 16:19               ` Alexei Starovoitov
2022-01-14 16:34                 ` Jason A. Donenfeld
2022-01-14 23:04     ` Jeffrey Walton
2022-01-12 13:12 ` [PATCH RFC v1 2/3] ipv6: move from sha1 to blake2s in address calculation Jason A. Donenfeld
2022-01-12 15:49   ` Jason A. Donenfeld
2022-01-12 23:05   ` Toke Høiland-Jørgensen
2022-01-12 23:31     ` Jason A. Donenfeld
2022-01-13 11:15       ` Hannes Frederic Sowa
2022-01-13 12:06         ` Ard Biesheuvel
2022-01-13 12:22           ` Jason A. Donenfeld
2022-01-13 12:29             ` Ard Biesheuvel
2022-01-13 13:30           ` Toke Høiland-Jørgensen
2022-01-13 13:40             ` Ard Biesheuvel
2022-01-13 13:45             ` Jason A. Donenfeld
2022-01-13 13:50               ` Ard Biesheuvel
2022-01-13 13:54                 ` Jason A. Donenfeld
2022-01-13 16:18                   ` Toke Høiland-Jørgensen
2022-01-14 16:07         ` Jason A. Donenfeld
2022-01-14 16:57           ` Toke Høiland-Jørgensen
2022-01-14 17:41           ` Hannes Frederic Sowa
2022-01-14 17:58             ` Jason A. Donenfeld
2022-01-12 13:12 ` [PATCH RFC v1 3/3] crypto: sha1_generic - import lib/sha1.c locally Jason A. Donenfeld
2022-01-12 18:50 ` [PATCH RFC v1 0/3] remove remaining users of SHA-1 David Sterba
2022-01-12 18:57   ` Jason A. Donenfeld
2022-01-13  3:24 ` Sandy Harris
2022-01-13  8:08   ` Ard Biesheuvel
2022-01-13 17:28   ` Theodore Ts'o [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YeBhUTPkmAnLQSzm@mit.edu \
    --to=tytso@mit.edu \
    --cc=Jason@zx2c4.com \
    --cc=ardb@kernel.org \
    --cc=geert@linux-m68k.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=jeanphilippe.aumasson@gmail.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=sandyinchina@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.