From owner-freebsd-security@FreeBSD.ORG Thu Sep 6 18:28:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 664) id D434C1065676; Thu, 6 Sep 2012 18:28:17 +0000 (UTC) Date: Thu, 6 Sep 2012 11:28:16 -0700 From: David O'Brien To: Dag-Erling =?unknown-8bit?B?U23DuHJncmF2?= Message-ID: <20120906182816.GE13179@dragon.NUXI.org> References: <201208221843.q7MIhLU4077951@svn.freebsd.org> <5043DBAF.40506@FreeBSD.org> <20120903005708.7082f230@gumby.homeunix.com> <20120906171824.GC14757@dragon.NUXI.org> <86392vqc86.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86392vqc86.fsf@ds4.des.no> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Arthur Mesh , freebsd-security@freebsd.org, RW Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 18:28:17 -0000 On Thu, Sep 06, 2012 at 07:42:49PM +0200, Dag-Erling Smrgrav wrote: > David O'Brien writes: > > RW writes: > > > IMO the order should be reversed or the low-grade stuff should be > > > piped through sha256. > > We considered that. Arthur wanted to do it sooner, but I'm concerned > > about impact of multiple sha256 invocations on a large amount of data > > on low-end MIPS. > > Is there a reason to choose sha256 over a weaker, faster hash? I see Arthur, But still wanted to give my own longer responce. Using a weaker hash could reduce the amount of entropy in the output (due to collisions). The Yarrow paper makes this argument (but willing to potentially loose some entropy) in 5 'The Generic Yarrow Design an Yarrow-160' The reason is if you take an 'm' bit random value and apply a hash function that produces 'm' bits of output, the result has less than 'm' bits of entropy due to the collisions that occur. This is a very minor effect, and overall results in the loss of at most a few bits of entropy. For a good entropy input I likely agree with you. But for the poor-grade entropy input I don't think we want to prematurely loose any of it. But I have not fully thought thru potential loss of entropy in a hash of a hash [where entropy was or wasn't lost]. -- -- David (obrien@FreeBSD.org)