Weaknesses in SHA-1
dshaw at jabberwocky.com
Wed Sep 22 04:14:46 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Sep 21, 2004 at 07:25:20PM -0400, Atom 'Smasher' wrote:
> it's unfortunate that this thread is "Weaknesses in SHA-1". it really
> should be "rumored Weaknesses in SHA-1".
> (never mind that i sign with SHA-256) SHA-1 has been subject to much more
> critical analysis than the larger SHA variants, and for that reason it can
> be considered more secure.
> since most people are using DSA (really DSS) signatures, most people are
> stuck with a 160 bit hash for signatures. the only common 160 bit hash
> that's generally considered to be comparable to SHA-1's security is
> RIPEMD-160. gpg 1.2 fully supports RIPEMD-160 and i don't think it's going
> away anytime soon... and it works with DSA (DSS) signatures. if you're
> concerned about SHA-1, just add this to your gpg.Cong:
Keep in mind that the argument against SHA256 that it hasn't been
analyzed as much as SHA-1 also applies to RIPEMD-160 (though to less
of a degree than SHA256).
> ## this creates RIPEMD-160 data signatures
> digest-algo RIPEMD160
> ## this creates RIPEMD-160 key signatures
> cert-digest-algo RIPEMD160
I recommend against this. SHA-1 is not, repeat, not broken. We
should not run around switching hashes willy-nilly because of a rumor.
If someone manages to make actual progress against SHA-1, it'll be
Avoiding the use of SHA-1 in OpenPGP is somewhat silly since many
major parts of the standard (like fingerprints) use SHA-1 only.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.90-cvs (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-users