Weaknesses in SHA-1, gnupg dev versions
Werner Koch
wk at gnupg.org
Thu Sep 23 16:33:40 CEST 2004
On Wed, 22 Sep 2004 21:24:27 +0200, Thomas Schorpp said:
> i would like sha512 too for better protection of my passphrase(?).
> sorry, i cant afford helping implementing crypto-algorithms in gnupg.
The protection of your passphrase is limited by the length of the
passphrase you are able to remember. A SHA-1 based key wrapping is
more than sufficient.
> stepping 1-3 was out and "problems" signing keys...?
> ill not try cvs due to possible security hazard, since im doing "near
> production" field tests with the openpgp testcard.
There is not much difference between a release and the CVS version -
a development release is merely easier to build and should not have
obvious build problems.
I have just commited a couple of changes to the card code. There are
now commands to import a key and to create individual key on the card
(--edit-key, addcardkey, keytocard). Main missing point is now a
backup scheme for the encryption key.
> if theres no official "security quality cycle" in this dev process, i
> suggest cryptology specialists involved attacking my test key with
> target "signature reproducal", etc.
Sorry, I don't understand this.
Werner
More information about the Gnupg-devel
mailing list