Skein in FreeBSD
The Skein hash function is now part of FreeBSD.
Comments
Scott Arciszewski • May 27, 2016 3:35 PM
Actually, I take that back: TwoFish would likely have the same cache-timing vulnerability AES has, without the presence of AES-NI to mitigate it. That would be a security mistake against local attackers (i.e. “the cloud”).
The point was to make an analogous comparison. 🙂
Aaron Toponce • May 27, 2016 4:35 PM
What’s the point? Is there anything in FreeBSD that relies on Skein? Just curious why it was added? Or is it one of those “because we can” things?
Anura • May 27, 2016 5:28 PM
@Scott Arciszewski
I haven’t seen anything on timing attacks against Twofish, whether this is because the more (mathematically) complex structure and/or dynamic s-boxes makes it more difficult to perform, or if it’s just because Twofish hasn’t been subjected to much scrutiny, I don’t know. However, if you don’t have a system with a hardware implementation of AES (many smartphones probably don’t), or your use-case doesn’t give the attackers known plaintexts (e.g. using disk encryption to protect your information if your laptop is stolen), Twofish could be a better choice than AES. Ideally, we’d have a block cipher that had been heavily scrutinized that uses only arithmetic operations, but that’s not the case.
Wiki says Skein is derived from threefish, and that it’s a hash function.
🙂
Allan Jude • May 28, 2016 11:49 AM
Skein was added to FreeBSD in support of ZFS. ZFS optionally uses the skein hash because it is faster than SHA2 and because it has HMAC like properties. Specifically, when checksumming blocks with skein and using that checksum for deduplication, a per-pool salt is used to ensure an attacker cannot calculate a collision against the deduplication.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Scott Arciszewski • May 27, 2016 3:30 PM
That’s an interesting choice, to say the least. For people that don’t trust NIST, I can understand using BLAKE2b (better security than SHA-256 and performance that beats MD5 on modern architectures), but SHA2 and SHA3 are fine.
I guess it’s like using TwoFish instead of AES: Probably not a security mistake, but strange.