Weaknesses in SHA-1, gnupg dev versions
Thomas Schorpp
t.schorpp at gmx.de
Fri Sep 24 12:54:51 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Werner Koch wrote:
| On Wed, 22 Sep 2004 21:24:27 +0200, Thomas Schorpp said:
|
|
|>i would like sha512 too for better protection of my passphrase(?).
|>sorry, i cant afford helping implementing crypto-algorithms in gnupg.
|
|
| The protection of your passphrase is limited by the length of the
| passphrase you are able to remember. A SHA-1 based key wrapping is
| more than sufficient.
hopefully. i personally use "cascaded" passphrase storage with scurity
ranking, holding lower security ranking passwords within a gpg encrypted
file protected by my many words unforgetable master phrase since 1996,
meantime on a "secure" usb device with cryptochip. since ive got many
"customers" here having the "forgot passswords problem" (even for simple
unix root accs or smime mail certificates with
ms-strong-crypto-provider), i suggest such a system.
better ideas, comments, risk analysis?
|
|
|>stepping 1-3 was out and "problems" signing keys...?
|>ill not try cvs due to possible security hazard, since im doing "near
|>production" field tests with the openpgp testcard.
|
|
| There is not much difference between a release and the CVS version -
| a development release is merely easier to build and should not have
| obvious build problems.
i see.
|
| I have just commited a couple of changes to the card code. There are
| now commands to import a key and to create individual key on the card
| (--edit-key, addcardkey, keytocard). Main missing point is now a
| backup scheme for the encryption key.
cool ;) any special testing scenarios/cases?
|
|
|>if theres no official "security quality cycle" in this dev process, i
|>suggest cryptology specialists involved attacking my test key with
|>target "signature reproducal", etc.
|
|
| Sorry, I don't understand this.
i knew youd say that ;) but i cannot lecture such an experienced project
lead like You on security sw lifecycle management and sw qm/qa since You
know about.
the question was, (regarding the ägypten project): why not here, too?
are classic oss projects maillists alone sufficient for gnupg and
security software (oncoming) special requirements?
|
| Werner
|
|
Tomm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iQCVAwUBQVP8+Gqsze5HSzyoAQJSbQQA6OLjTIGFbAB3xFBneuLc06eYR0n6JG8f
I+UWdHFaYyjw1NXJ4aWr5InVfAUHp9wqcyc1pd9DXkhaSLv1kB+yV06LodpnBI/A
QqlBkOirzfYPxSNSKUcIxcWLgtqBbo/J2TV4XIFsTmzMlwk11lMQ28ZUdk91snhK
H117xjrvoUg=
=ncpc
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list