From 4fdb204850d76c57bdca8bc18b877036efcc24e5 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Fri, 21 Feb 2025 17:30:18 -0500 Subject: [PATCH] Deprecate SipHash It's quite useful as a hash table index randomizer but is not necessarily great as an authentication code, especially considering the small output size. --- doc/api_ref/message_auth_codes.rst | 13 ++++++++++--- doc/deprecated.rst | 3 +++ readme.rst | 2 +- src/build-data/policy/modern.txt | 1 - src/lib/mac/siphash/info.txt | 1 + 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/api_ref/message_auth_codes.rst b/doc/api_ref/message_auth_codes.rst index df5e277e423..26811e808a8 100644 --- a/doc/api_ref/message_auth_codes.rst +++ b/doc/api_ref/message_auth_codes.rst @@ -208,9 +208,14 @@ Algorithm specification name: ``Poly1305`` SipHash ~~~~~~~~~~~~ -A modern and very fast PRF. Produces only a 64-bit output. Defaults to -"SipHash(2,4)" which is the recommended configuration, using 2 rounds for each -input block and 4 rounds for finalization. +.. deprecated:: 3.8.0 + +SipHash is primarily designed for hash table randomization and, while not +known to be insecure for message authentication, is not advisable for this +use due to the small output size (just 64 bits). + +Defaults to "SipHash(2,4)" which is the recommended configuration, using 2 +rounds for each input block and 4 rounds for finalization. Available if ``BOTAN_HAS_SIPHASH`` is defined. @@ -224,6 +229,8 @@ Algorithm specification name: X9.19-MAC ~~~~~~~~~~~~ +.. deprecated:: 3.7.0 + A CBC-MAC variant sometimes used in finance. Always uses DES. Sometimes called the "DES retail MAC", also standardized in ISO 9797-1. diff --git a/doc/deprecated.rst b/doc/deprecated.rst index 93e7571ad4f..5694bd29a2f 100644 --- a/doc/deprecated.rst +++ b/doc/deprecated.rst @@ -139,6 +139,9 @@ Deprecated modules include permutation, but rather the Keccak hash originally proposed during the SHA-3 competition. +- MAC ``siphash``: Only supports a 64-bit output length, and not really intended + for cryptography per se. + - MAC ``x919_mac``: Quite obsolete at this point - Signature scheme ``dsa``: Finite field DSA is slow, very rarely used anymore, diff --git a/readme.rst b/readme.rst index 9eee182e084..aa8e5844e9f 100644 --- a/readme.rst +++ b/readme.rst @@ -129,7 +129,7 @@ Ciphers, hashes, MACs, and checksums * Stream ciphers (X)ChaCha20, (X)Salsa20, RC4 * Hash functions SHA-1, SHA-2, SHA-3, RIPEMD-160, BLAKE2b/BLAKE2s, Skein-512, SM3, Whirlpool * Password hashing schemes Argon2, Scrypt, bcrypt, and PBKDF2 -* Authentication codes HMAC, CMAC, Poly1305, KMAC, SipHash, GMAC +* Authentication codes HMAC, CMAC, Poly1305, KMAC, GMAC Other Useful Things ---------------------------------------- diff --git a/src/build-data/policy/modern.txt b/src/build-data/policy/modern.txt index 83680739cc5..133d9241c3c 100644 --- a/src/build-data/policy/modern.txt +++ b/src/build-data/policy/modern.txt @@ -23,7 +23,6 @@ hkdf cmac hmac poly1305 -siphash pbkdf2 bcrypt diff --git a/src/lib/mac/siphash/info.txt b/src/lib/mac/siphash/info.txt index 6a3d7e07a50..0298651513a 100644 --- a/src/lib/mac/siphash/info.txt +++ b/src/lib/mac/siphash/info.txt @@ -4,4 +4,5 @@ SIPHASH -> 20150110 name -> "SipHash" +lifecycle -> "Deprecated"