Weaknesses in SHA-1

David Shaw dshaw at jabberwocky.com
Wed Sep 22 04:14:46 CEST 2004

Hash: SHA1

On Tue, Sep 21, 2004 at 07:25:20PM -0400, Atom 'Smasher' wrote:
> it's unfortunate that this thread is "Weaknesses in SHA-1". it really 
> should be "rumored Weaknesses in SHA-1".
> (never mind that i sign with SHA-256) SHA-1 has been subject to much more 
> critical analysis than the larger SHA variants, and for that reason it can 
> be considered more secure.
> since most people are using DSA (really DSS) signatures, most people are 
> stuck with a 160 bit hash for signatures. the only common 160 bit hash 
> that's generally considered to be comparable to SHA-1's security is 
> RIPEMD-160. gpg 1.2 fully supports RIPEMD-160 and i don't think it's going 
> away anytime soon... and it works with DSA (DSS) signatures. if you're 
> concerned about SHA-1, just add this to your gpg.Cong:

Keep in mind that the argument against SHA256 that it hasn't been
analyzed as much as SHA-1 also applies to RIPEMD-160 (though to less
of a degree than SHA256).

> ## this creates RIPEMD-160 data signatures
> digest-algo RIPEMD160
> ## this creates RIPEMD-160 key signatures
> cert-digest-algo RIPEMD160

I recommend against this.  SHA-1 is not, repeat, not broken.  We
should not run around switching hashes willy-nilly because of a rumor.
If someone manages to make actual progress against SHA-1, it'll be
major news.

Avoiding the use of SHA-1 in OpenPGP is somewhat silly since many
major parts of the standard (like fingerprints) use SHA-1 only.

Version: GnuPG v1.3.90-cvs (GNU/Linux)


More information about the Gnupg-users mailing list