Weaknesses in SHA-1

David Shaw dshaw at jabberwocky.com
Mon Sep 27 16:47:35 CEST 2004

On Wed, Sep 22, 2004 at 08:48:43PM -0500, Alan S. Jones wrote:
> >> I know t hat SHA-1 has been analyzed more then SHA256, SHA384, or SHA512
> >> thus could actually be stronger.  However why not let people create keys
> >> with those algorithms also in 1.4?
> >
> >I'm not sure what you mean here - these are hash algorithms.  You
> >don't create a key using them.
> Sorry, wrong wording on the hash/key thing.... let me restate.
> Previously you stated that 1.2.x supports MD5, SHA1, and RIPEMD160 and
> read-only support for SHA256  Also 1.4 will supports MD5, SHA1, RIPEMD160,
> and SHA256, but only have read only support for SHA384 and SHA512.
> Why not allow for full support of SHA384 and SHA512 and not just read-only
> support in GnuPG 1.4?

It's a good question.  Basically, nobody (PGP or GnuPG) officially
supports 384/512 yet.  It is prudent to get a code base out that
understands a new feature before a code base is released that actually
enables a new feature.  Since 1.2.x does not support 384/512 at all
unless it is specifically compiled in by the user (which the majority
do not), the first release of GnuPG that can (almost always)
understand 384/512 is going to be 1.4.  Once 1.4 has been out for a
while, 384/512 can be enabled for read/write.

OpenPGP has a sometimes justified reputation as being difficult to get
different versions to interoperate.  Just look at the many web sites
with huge compatibility charts.  This is not good for anyone, and
holding back on a new feature until it can be used safely is an
attempt to dispel this reputation.

Incidentally, 384 is sort of pointless for OpenPGP.  It's mostly the
same algorithm as 512 truncated to 384 bytes.  Unless you need to save
16 bytes, there is little benefit.


More information about the Gnupg-users mailing list