On 2019-05-20 03:47, Johannes Thumshirn wrote:
On Sat, May 18, 2019 at 02:38:08AM +0200, Adam Borowski wrote:
On Fri, May 17, 2019 at 09:07:03PM +0200, Johannes Thumshirn wrote:
On Fri, May 17, 2019 at 08:36:23PM +0200, Diego Calleja wrote:
If btrfs needs an algorithm with good performance/security ratio, I would
suggest considering BLAKE2 [1]. It is based in the BLAKE algorithm that made
to the final round in the SHA3 competition, it is considered pretty secure
(above SHA2 at least), and it was designed to take advantage of modern CPU
features and be as fast as possible - it even beats SHA1 in that regard. It is
not currently in the kernel but Wireguard uses it and will add an
implementation when it's merged (but Wireguard doesn't use the crypto layer
for some reason...)
SHA3 is on my list of other candidates to look at for a performance
evaluation. As for BLAKE2 I haven't done too much research on it and I'm not a
cryptographer so I have to trust FIPS et al.
"Trust FIPS" is the main problem here. Until recently, FIPS certification
required implementing this nice random generator:
https://en.wikipedia.org/wiki/Dual_EC_DRBG
Thus, a good part of people are reluctant to use hash functions chosen by
NIST (and published as FIPS).
I know, but please also understand that there are applications which do
require FIPS certified algorithms.
Those would also be cryptographic applications, which BTRFS is not. If
you're in one of those situations and need to have cryptographic
verification of files on the system, you need to be using either IMA,
dm-verity, or dm-integrity.
