Weaknesses in SHA-1, gnupg dev versions

Werner Koch wk at gnupg.org
Thu Sep 23 16:33:40 CEST 2004

On Wed, 22 Sep 2004 21:24:27 +0200, Thomas Schorpp said:

> i would like sha512 too for better protection of my passphrase(?).
> sorry, i cant afford helping implementing crypto-algorithms in gnupg.

The protection of your passphrase is limited by the length of the
passphrase you are able to remember.  A SHA-1 based key wrapping is
more than sufficient.

> stepping 1-3 was out and "problems" signing keys...?
> ill not try cvs due to possible security hazard, since im doing "near
> production" field tests with the openpgp testcard.

There is not much difference between a release and the CVS version -
a development release is merely easier to build and should not have
obvious build problems.

I have just commited a couple of changes to the card code.  There are
now commands to import a key and to create individual key on the card
(--edit-key, addcardkey, keytocard).  Main missing point is now a
backup scheme for the encryption key.

> if theres no official "security quality cycle" in this dev process, i
> suggest cryptology specialists involved attacking my test key with
> target "signature reproducal", etc.

Sorry, I don't understand this.


More information about the Gnupg-devel mailing list