#1653 [RFE] Change default HASH values from 256 --> 512?
Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by mharmsen.

In /etc/pki/default.cfg, we currently have the following:

# grep -e "=SHA" -e ^"\[" /etc/pki/default.cfg 
[DEFAULT]
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_ssl_server_key_algorithm=SHA256withRSA
pki_subsystem_key_algorithm=SHA256withRSA
[Tomcat]
[CA]
pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_signing_algorithm=SHA256withRSA
[KRA]
pki_storage_key_algorithm=SHA256withRSA
pki_storage_signing_algorithm=SHA256withRSA
pki_transport_key_algorithm=SHA256withRSA
pki_transport_signing_algorithm=SHA256withRSA
[OCSP]
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_signing_algorithm=SHA256withRSA
[RA]
[TKS]
[TPS]

Several end-users have often been overriding most if not all of these values with SHA512withRSA.

There are some sources (see http://crypto.stackexchange.com/questions/26336/sha512-faster-than-sha256) which report that SHA512 may actually be faster to compute than SHA256 when using 64-bit machines (the primary platform for CS).

Alternatively, there are some notable people who appear to refute the use of SHA512 vs. SHA256 (albeit based upon the argument for the purposes of "extra security") - (see https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/26LIJ9j4mZw/LyXYG0d8m5wJ).

Should we consider changing the current default values of SHA256withRSA to SHA512withRSA in /etc/pki/default.cfg?


rrelyea,

Please provide any merits/pitfalls to any decision on whether or not to implement this by default.

Thanks,
-- Matt

Replying to [comment:4 mharmsen]:

rrelyea,

Please provide any merits/pitfalls to any decision on whether or not to implement this by default.

Thanks,
-- Matt

rrelyea replied:

The big risk is if there are clients that use SHA-256 and not SHA-512. I 
don't know if any exists. Most toolkits, libraries, etc. implemented all 
the SHA-2 hashes at once, so it's probably pretty minor, buth SHA-256 
has gotten the most attention of the SHA-2 hashes, so it's possible 
there may be some out there.

SHA-512 is more secure than SHA-256, but I'm not sure the bar is truly 
meaningful (I'm not sure that there is a real risk with SHA-256), but it 
does provide some psychological advantage.

SHA-512 has a bigger block size and is slower, though the block size 
turns out is limited by the signature algorithms algorithms anyway, so 
it shouldnt' affect the size of the certificate. SHA-384 and SHA-512 are 
about the same speed. In general the government used SHA-384 because it 
fits their security requirements more closely and has a shorter bit length.

Per CS/DS Meeting of 10/19/2015: 10.4

Future consideration should be given to this to either:
(a) potentially change defaults from 256 -> 384, and/or
(b) potentially revisit this once SHA-3 becomes available

Metadata Update from @mharmsen:
- Issue set to the milestone: UNTRIAGED

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2212

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata