SHA1 being used despite public key preferences
dshaw at jabberwocky.com
Wed Oct 20 01:01:50 CEST 2010
On Oct 19, 2010, at 4:42 PM, smu johnson wrote:
> I wish to bring up a serious issue I hope will get some discussion. I'll try to be "to the point" in hopes more people read this. I have posted about this before, but AFAIK, none of the developers for GnuPG saw it.
> Some facts:
> 1) SHA-1 was considered broken by Bruce Schneier in 2005. http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
> 2) An attack with a complexity of 2^51 was published in 2008 for collisions. http://eprint.iacr.org/2008/469.pdf
> 3) The 2010 book "Cryptography Engineering" recommends people do NOT use SHA-1.
> So, why are we still using SHA-1 in GnuPG? Worse yet, why is GnuPG picking it as the default hash signing algorithm, when people like myself have taken the time to explicitly set SHA-2 to be used before SHA-1 in a public key pref?
> If I'm sending something to Joe with the "-se -r joe" arguments, I think it should look at Joe's public key preferences for the digest-algo. It already does this with the cipher-algo, so why not the digest? If Joe is paranoid enough to put SHA-2 algorithms first on his prefs, and they're being ignored... what is the security in that?
Because the ultimate authority on which algorithms to use is the sender, not the receiver. Joe may *ask* for certain algorithms, but the sender must be both willing and able to use them. If the sender doesn't like SHA-256 (or whatever), Joe can't have it, even if he asks for it.
In this particular case of the signing digest, GnuPG does in fact honor the preferences of the recipient, but for historical reasons, the only algorithm that the sender will allow is SHA-1 (thus effectively disabling the feature). The reason behind this is that old versions of GnuPG generated keys with a standard hash preference of RIPEMD/160 before SHA-1. When GnuPG got the ability to use that preference to decide which hash to pick, people who were expecting SHA-1 suddenly got RIPEMD/160. In order to not violate the law of least surprise, we stuck a SHA-1 preference in personal-digest-preferences.
If you want to issue signatures using the choices of your recipient, put this in your gpg.conf:
(i.e. you have no preference yourself, so allow the recipient to chose)
Alternately, you can list whatever preferences you do have, and the recipient will be allowed to pick among them.
More information about the Gnupg-devel