Weaknesses in SHA-1
David Shaw
dshaw at jabberwocky.com
Wed Sep 22 04:14:46 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Sep 21, 2004 at 07:25:20PM -0400, Atom 'Smasher' wrote:
> it's unfortunate that this thread is "Weaknesses in SHA-1". it really
> should be "rumored Weaknesses in SHA-1".
>
> (never mind that i sign with SHA-256) SHA-1 has been subject to much more
> critical analysis than the larger SHA variants, and for that reason it can
> be considered more secure.
>
> since most people are using DSA (really DSS) signatures, most people are
> stuck with a 160 bit hash for signatures. the only common 160 bit hash
> that's generally considered to be comparable to SHA-1's security is
> RIPEMD-160. gpg 1.2 fully supports RIPEMD-160 and i don't think it's going
> away anytime soon... and it works with DSA (DSS) signatures. if you're
> concerned about SHA-1, just add this to your gpg.Cong:
Keep in mind that the argument against SHA256 that it hasn't been
analyzed as much as SHA-1 also applies to RIPEMD-160 (though to less
of a degree than SHA256).
> ## this creates RIPEMD-160 data signatures
> digest-algo RIPEMD160
>
> ## this creates RIPEMD-160 key signatures
> cert-digest-algo RIPEMD160
I recommend against this. SHA-1 is not, repeat, not broken. We
should not run around switching hashes willy-nilly because of a rumor.
If someone manages to make actual progress against SHA-1, it'll be
major news.
Avoiding the use of SHA-1 in OpenPGP is somewhat silly since many
major parts of the standard (like fingerprints) use SHA-1 only.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.90-cvs (GNU/Linux)
iGoEARECACoFAkFQ4BYjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h
c2MACgkQ4mZch0nhy8kApgCePcHQH0FnjqxQHfWXm4vAOMIDXIcAoJT+XYaOz7ja
uJj7X+aA+S9sBkoe
=w/Sg
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list