Weaknesses in SHA-1

David Shaw dshaw at jabberwocky.com
Tue Sep 28 06:34:12 CEST 2004

On Mon, Sep 27, 2004 at 10:38:21PM +0200, Simon Josefsson wrote:

> > I think history shows that any uncommon algorithm is going to be used
> > simply because it's there...
> And that's bad.  Maybe we can penalize such users somehow?  Only
> enable Tiger192 read-only support if a certain token is in the config
> file?  Then there is an escape mechanism if all but Tiger192 is
> broken.

That's effectively what SHA512 is now.  It's read-only unless you
modify the code.

> OTOH, you might take the stand that if SHA256 is broken, you have a
> lot of other problems.  So any solution that would work for other
> applications (that is, release a new version with support for SHA3)
> would work for GnuPG as well.
> Personally, I would rather have to upgrade once in a while due to
> cryptographic advances, than have even more dead code to review in
> security critical applications.  And if I were a maintainer, I
> wouldn't want to maintain practically useless code, nor maintain an
> escape mechanisms that might not ever be used, nor take on the support
> cost of a niche market.

Exactly.  GnuPG already supports MD5, SHA1, RIPEMD160, SHA256, SHA384,
and SHA512.  If all of them are broken at the same time, I'll eat my
hat.  To say nothing of the fact that if SHA1 is broken, OpenPGP as a
whole needs to be revised.


More information about the Gnupg-users mailing list