A coming attack on PGP, and a way to mitigate it

David Shaw dshaw at jabberwocky.com
Mon May 4 05:35:59 CEST 2009

On May 3, 2009, at 11:13 PM, Daniel Franke wrote:

> David Shaw <dshaw at jabberwocky.com> writes:
>> I rather like this idea.  I was thinking that a good way to tie it
>> into the GPG way of doing things would be another one of the %-
>> expandos.  So you could do something like set a notation for
>> "random at example.com
>> =%10r" for 10 digits of random hex, %15r for 15 digits, etc.
>> Before we go down this road, however, it might be worth waiting the
>> (should be short) period of time before the new SHA-1 paper is
>> formally published and people can give it a good read over.  The
>> slides are good, but I think it's healthy to get a better notion of
>> the attack before we implement a countermeasure (even one as harmless
>> to compatibility as this).
> I wrote a followup last night retracting this idea, as it isn't quite
> going to work.  For some reason though, it never got redelivered back
> to me even though it's in the ML archive:
> http://lists.gnupg.org/pipermail/gnupg-devel/2009-May/024967.html

Drat, I made the same error.  The nonce would have to be much earlier  
in the stream of bits being hashed to be useful.  Ah well, it was too  
good to be true :)

> Did you receive it but overlook it before writing this response, or
> did it get dropped?

Interesting.  I never got it at all.


More information about the Gnupg-devel mailing list