Re: RFC (round 2): Change the default hostname for Fedora 26+

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 11, 2016 at 01:20:26PM -0500, Stephen Gallagher wrote:
> On 11/11/2016 12:17 PM, Andrew Lutomirski wrote:
> > /me dons crypto hat.
> > 
> > SHA(x || k) has three problems, one of which is bad enough to be an absolute
> > showstopper.
> > 
> > 1. Specify *which* SHA.  SHA-1 should not be used for new applications.
> > 
> > 2. Concatenation without some additional property preventing collisions of the
> > hashed data is problematic.  In particular, if you shorten x by a byte and
> > prepend the same byte to k, you get the same output.  This is probably
> > irrelevant for this particular use case, but it's still a sign that the
> > construction is bad.
> > 
> > 3.  The SHA hashes, like all Merkle-Damgård hashes, is subject to
> > length-extension attacks.  In particular, if x is a multiple (or slightly above
> > a multiple) of the block length, then anyone who learns SHA(x) can efficiently
> > derive SHA(x || k).  This basically removes all security from this scheme.
> > 
> > HMAC(k, x) would be much better.
Thanks, that's something to take into consideration.

> > But I think this protocol is generally more fragile then needed.  How about
> > generating a per-app-installation random value and HMAC-ing *that* with the
> > machine id?
> 
> I think this is extreme overkill for something that doesn't need to be
> cryptographically sound. It literally just needs to be eight characters with a
> sensible random distribution. I considered using some non-reversible
> transformation of machine-id for this simply because I wanted to avoid trying to
> consume any of the entropy in /dev/random since we'd be doing this early in the
> installer (when entropy tends to be at a premium). Maybe that was overkill and I
> should just pull from /dev/random.

There's one advantage to deriving the hostname from machine-id: it is
predictable and will always be generated the same. Usually this will not
matter, but if /etc is readonly we might no be able to save the hostname.

> I can't think of a reason why we'd need a cryptographically secure
> transformation just to generate a random hostname.

We want it cryptographically secure to preserve the machine-id. It's
probably not too important in itself, but it's a good idea to keep
it hidden because other hashes might be generated from it.

Zbyszek
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux