Weaknesses in SHA-1

David Shaw dshaw at jabberwocky.com
Fri Sep 24 17:54:16 CEST 2004

On Fri, Sep 24, 2004 at 04:15:23PM +0200, Johan Wevers wrote:
> markus reichelt wrote:
> >why? he states:
> >
> >"To a user of cryptographic systems -- as I assume most readers are --
> >this news is important, but not particularly worrisome.  MD5 and SHA
> >aren't suddenly insecure.  No one is going to be breaking digital
> >signatures or reading encrypted messages anytime soon with these
> >techniques.  The electronic world is no less secure after these
> >announcements than it was before."
> However, this argument is often used against v3 keys, because they use
> MD5. It apears that MD5 and SHA1 may be vulnerable to the same kind of
> attack. In practice, I don't worry about either hashes being broken.

While this isn't a practical break of MD5, it is still prudent to stop
using it.  In the context of OpenPGP, stopping using MD5 means
stopping using v3 keys.  If we stop using MD5 today, we can gracefully
migrate to something better.  If we wait until there IS a practical
break, then we are forced into a frantic repair mode that can cause
other harm.

The very next paragraph in Bruce Schneier's essay is:

  But there's an old saying inside the NSA: "Attacks always get
  better; they never get worse." These techniques will continue to
  improve, and probably someday there will be practical attacks based
  on these techniques.

He's arguing to start the slow transition away from SHA-1.  If there
is a rational argument for starting a transition away from SHA-1, then
we sure as heck should have been off MD5 for a long time now.


More information about the Gnupg-users mailing list