Scott ArciszewskiMay 27, 2016 3:30 PM

That's an interesting choice, to say the least. For people that don't trust NIST, I can understand using BLAKE2b (better security than SHA-256 and performance that beats MD5 on modern architectures), but SHA2 and SHA3 are fine.

I guess it's like using TwoFish instead of AES: Probably not a security mistake, but strange.

Scott ArciszewskiMay 27, 2016 3:35 PM

Actually, I take that back: TwoFish would likely have the same cache-timing vulnerability AES has, without the presence of AES-NI to mitigate it. That would be a security mistake against local attackers (i.e. "the cloud").

The point was to make an analogous comparison. :)

Aaron ToponceMay 27, 2016 4:35 PM

What's the point? Is there anything in FreeBSD that relies on Skein? Just curious why it was added? Or is it one of those "because we can" things?

AnuraMay 27, 2016 5:28 PM

@Scott Arciszewski

I haven't seen anything on timing attacks against Twofish, whether this is because the more (mathematically) complex structure and/or dynamic s-boxes makes it more difficult to perform, or if it's just because Twofish hasn't been subjected to much scrutiny, I don't know. However, if you don't have a system with a hardware implementation of AES (many smartphones probably don't), or your use-case doesn't give the attackers known plaintexts (e.g. using disk encryption to protect your information if your laptop is stolen), Twofish could be a better choice than AES. Ideally, we'd have a block cipher that had been heavily scrutinized that uses only arithmetic operations, but that's not the case.

rMay 27, 2016 5:42 PM

Wiki says Skein is derived from threefish, and that it's a hash function.


Allan JudeMay 28, 2016 11:49 AM

Skein was added to FreeBSD in support of ZFS. ZFS optionally uses the skein hash because it is faster than SHA2 and because it has HMAC like properties. Specifically, when checksumming blocks with skein and using that checksum for deduplication, a per-pool salt is used to ensure an attacker cannot calculate a collision against the deduplication.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.