SHA3 IANA registration - method?
Andrey Jivsov
openpgp at brainhub.org
Fri Dec 14 19:32:58 CET 2012
On 12/14/2012 10:11 AM, Daniel Kahn Gillmor wrote:
> On 12/14/2012 12:55 PM, Andrey Jivsov wrote:
>> The use of fingerprints in OpenPGP
>> should be viewed as dependent on collision resistance of the hash
>> function,
>
> My recollection from the review and discussion i participated in was
> that the OpenPGP fingerprint's security was dependent on the preimage
> resistance of the hash function, not on the collision resistance.
>
> If that's correct, OpenPGP should be OK on the fingerprint for a while
> yet (modulo some organizations that just want to be rid of "old" digest
> algorithms without understanding the nuances in where they're used).
>
> Can you describe an attack that might show how weak collision resistance
> could compromise the fingerprint?
Here is one scenario.
I generate two keys A,B with the same fingerprint. I provide the key A
to another party. Another party encrypts a message to me using this key.
At some later point that party deletes the key A, but diligently keeps
the audit log that states that the fingerprint of the key A was used to
encrypt a message to me. After all, the key was initially trusted by its
fingerprint, so it seems OK to only save the fingerprint.
From this point I can claim repudiation (aka an alibi), stating that
the sender has never properly encrypted the message to me that I could
have ever read. Here is my key (B) with the same fingerprint that
matches the one that the server has but this key doesn't decrypt the
message.
More information about the Gnupg-devel
mailing list