SHA1 being used despite public key preferences
smu johnson
smujohnson at gmail.com
Tue Oct 19 22:42:20 CEST 2010
Hello,
I wish to bring up a serious issue I hope will get some discussion. I'll
try to be "to the point" in hopes more people read this. I have posted
about this before, but AFAIK, none of the developers for GnuPG saw it.
Some facts:
1) SHA-1 was considered broken by Bruce Schneier in 2005.
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
2) An attack with a complexity of 2^51 was published in 2008 for
collisions. http://eprint.iacr.org/2008/469.pdf
3) The 2010 book "Cryptography Engineering" recommends people do NOT use
SHA-1.
So, why are we still using SHA-1 in GnuPG? Worse yet, why is GnuPG picking
it as the default hash signing algorithm, when people like myself have taken
the time to explicitly set SHA-2 to be used before SHA-1 in a public key
pref?
If I'm sending something to Joe with the "-se -r joe" arguments, I think it
should look at Joe's public key preferences for the digest-algo. It already
does this with the cipher-algo, so why not the digest? If Joe is paranoid
enough to put SHA-2 algorithms first on his prefs, and they're being
ignored... what is the security in that? No matter what he does, his
requests are being ignored on any GnuPG default install from people sending
him signed messages, unless he has to bother them with manually changing it
to something else which would obviously be a very tiresome process, and
likely the recipient of this instructions won't even care or know what Joe
is talking about. Needless to say, it is very frustrating for Joe.
This has been brought up a few times on this mailing list, but I haven't
seen any of the coders really give any thoughts on the matter.
Here is a screenshot I made proving that TWOFISH is being adhered to, but
SHA-2 digests being ignored. I colour-coded it with MSPAINT to help you see
the relevant stuff.
Screenshot here:
http://members.shaw.ca/smujohnson/img/gnupg-sha1-problem.png
Some final words: This is not an argument to remove SHA-1 from GnuPG. I
know that the OpenPGP rfc says it must have it. I'm simply saying that if
people put it at the "back of the list", then it shouldn't still pick it
first if the key preferences say otherwise. Although I would definitely be
in favour of the OpenPGP standard changing to actually remove SHA-1, I doubt
I have enough clout to single-handedly make that happen. The above solution
would probably make me happy enough for a while. Or at the very least, it
would be a step in the right direction.
Thank you for reading.
--
smu johnson <smujohnson at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101019/b595ddb9/attachment.htm>
More information about the Gnupg-devel
mailing list