• CNCHI suggestion: Switch LUKS to SHA512 hashing algo


    Several months after installing Antergos on my laptop (going strong, btw!), I just noticed that the LUKS portion of the CNCHI installer uses the SHA1 hashing algorithm by default. I have learned that this is a function of LUKS and Linux in general. But unfortunately, the SHA1 algorithm has been widely accepted as broken (read: relatively insecure) for several years now.

    [https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html][0]">[https://www.schneier.com/blog/archives/][1] … sis_o.html

    So my suggestion is that CNCHI switch to the more secure SHA512 hashing algorithm. I’m not sure how difficult this is, but I suspect it should be little trouble for the CNCHI devs.

    On a related subject, the default *cipher* algorithm is AES, which is still widely regarded as secure. However, AES is the chosen algo of the NSA, US government in general, and pretty much everyone else. Yes, my hat is coincidentally constructed of tinfoil, but that does not mean my suspicions are invalid.

    I, who am not a cryptographer nor even much of a programmer, belive that AES and even SHA1 make brute-force attacks computationally expensive. But switching to SHA512 would provide arguably more security for little to no computational cost, and other block cipher algorithms such as Serpent or Twofish should at least be considered for use in the installer.

    Thanks.

    [0]: <a href=
    [1]: https://www.schneier.com/blog/archives/

  • Several months after installing Antergos on my laptop (going strong, btw!), I just noticed that the LUKS portion of the CNCHI installer uses the SHA1 hashing algorithm by default. I have learned that this is a function of LUKS and Linux in general. But unfortunately, the SHA1 algorithm has been widely accepted as broken (read: relatively insecure) for several years now.

    [https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html][0]">[https://www.schneier.com/blog/archives/][1] … sis_o.html

    So my suggestion is that CNCHI switch to the more secure SHA512 hashing algorithm. I’m not sure how difficult this is, but I suspect it should be little trouble for the CNCHI devs.

    On a related subject, the default *cipher* algorithm is AES, which is still widely regarded as secure. However, AES is the chosen algo of the NSA, US government in general, and pretty much everyone else. Yes, my hat is coincidentally constructed of tinfoil, but that does not mean my suspicions are invalid.

    I, who am not a cryptographer nor even much of a programmer, belive that AES and even SHA1 make brute-force attacks computationally expensive. But switching to SHA512 would provide arguably more security for little to no computational cost, and other block cipher algorithms such as Serpent or Twofish should at least be considered for use in the installer.

    Thanks.

    [0]: <a href=
    [1]: https://www.schneier.com/blog/archives/

  • Hi Tesmo,

    We’ll check it and change it to SHA512. I can’t guarantee when, though.

    Cheers!

Posts 3Views 974
Log in to reply