Weaknesses in SHA-1, gnupg dev versions

Thomas Schorpp t.schorpp at gmx.de
Fri Sep 24 12:54:51 CEST 2004

Hash: SHA1

Werner Koch wrote:
| On Wed, 22 Sep 2004 21:24:27 +0200, Thomas Schorpp said:
|>i would like sha512 too for better protection of my passphrase(?).
|>sorry, i cant afford helping implementing crypto-algorithms in gnupg.
| The protection of your passphrase is limited by the length of the
| passphrase you are able to remember.  A SHA-1 based key wrapping is
| more than sufficient.

hopefully. i personally use "cascaded" passphrase storage with scurity
ranking, holding lower security ranking passwords within a gpg encrypted
file protected by my many words unforgetable master phrase since 1996,
meantime on a "secure" usb device with cryptochip.  since ive got many
"customers" here having the "forgot passswords problem" (even for simple
unix root accs or smime mail certificates with
ms-strong-crypto-provider), i suggest such a system.
better ideas, comments, risk analysis?

|>stepping 1-3 was out and "problems" signing keys...?
|>ill not try cvs due to possible security hazard, since im doing "near
|>production" field tests with the openpgp testcard.
| There is not much difference between a release and the CVS version -
| a development release is merely easier to build and should not have
| obvious build problems.

i see.

| I have just commited a couple of changes to the card code.  There are
| now commands to import a key and to create individual key on the card
| (--edit-key, addcardkey, keytocard).  Main missing point is now a
| backup scheme for the encryption key.

cool ;) any special testing scenarios/cases?

|>if theres no official "security quality cycle" in this dev process, i
|>suggest cryptology specialists involved attacking my test key with
|>target "signature reproducal", etc.
| Sorry, I don't understand this.

i knew youd say that ;) but i cannot lecture such an experienced project
lead like You on security sw lifecycle management and sw qm/qa since You
know about.
the question was, (regarding the ägypten project): why not here, too?
are classic oss projects maillists alone sufficient for gnupg and
security software (oncoming) special requirements?

|   Werner

Version: GnuPG v1.3.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


More information about the Gnupg-devel mailing list