please change the default hashing algorithm

Ben McGinnes ben at adversary.org
Tue Jul 14 21:37:41 CEST 2015


On 15/07/2015 5:13 am, Andrew Clausen wrote:
> Excerpts from Ben McGinnes's message of 2015-07-14 19:47:07 +0100:
>>
>> Ah, classic, if the concern pertains to the majority of end users that
>> will be effectively neutralised when the switch to ECC forces them off
>> classic and onto modern.
> 
> I worry that this might still be some time away.  My main concern is
> with signing messages and files, not signing keys.  For example,
> Ubuntu 14.04 LTS packages are signed with SHA-1 hashes.  (Their newer
> more experimental releases are using SHA-256, IIRC.)

While they probably should switch entirely to 256 (or higher), they're
unlikely to be in any danger during the period in which those packages
are current (even with long-term support distributions).

> Aside: many people are rightly nervous about switching to elliptic
> curves.  The maths is harder to understand, the most popular curves
> have vulnerabilities (possibly by design!), and safe curves were only
> developed quite recently.  (See http://safecurves.cr.yp.to/)

Yeah, I've read it.  Though popular depends on who you speak to, it's
probably better tosay the current NIST recommendations are vulnerable,
whereas the most popular curve is not (and its popularity stems from
the reaction to NIST and the undermining of NIST by NSA).

> Of course, the switch will happen, but it might be slow.  Perhaps
> GPG could give users better guidance that they ought to be using
> Curve 25519 rather than the vulnerable NIST or brainpool curves.
> (I'm looking at https://www.gnupg.org/faq/whats-new-in-2.1.html#ecc,
> which might be ought of date.)

Work is currently being done to add 25519 for encryption to modern, in
addition to its existing implementation for signing.  With regards to
recommendations, that's also being hashed out (if you'll pardon the
pun) with the revision of RFC 4880.

>> Changing the default preferences can probably be done, but I'll wait
>> for Werner to return from his holiday and comment on that.  Also,
>> there may be an additional complication with regards to the digest
>> used with the self-signature packet during key creation.  I just
>> double-checked another key I made earlier this year which definitely
>> had SHA512 as the preferred first choice hash in gpg.conf during key
>> creation and it still has SHA1 in the self signatures.  It was also
>> generated with classic due to the key size (I was doing silly things
>> to prove a point elsewhere).
> 
> This would be great, thanks!

Like I said, it's Werner's call.  He might just do it or he might wait
until the IETF work is comlete and then bring all three branches into
line with that.  IIRC the current position is to move to SHA-512 or to
SHA-3 once a decision has been made on that.


Regards,
Ben


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150715/1bb9d275/attachment.sig>


More information about the Gnupg-devel mailing list