SHA1 broken?

Atom Smasher atom at
Wed Feb 16 17:13:23 CET 2005

Hash: SHA256

On Wed, 16 Feb 2005, David Shaw wrote:

> In terms of GnuPG: it's up to you whether you want to switch hashes or 
> not.  GnuPG supports all of the SHA-2 hashes, so they are at least 
> available.  Be careful you don't run up against compatibility problems: 
> PGP doesn't support 384 or 512, and only recently started supporting 
> 256.  GnuPG before 1.2.2 (2003-05-01), doesn't have any of the new 
> hashes.  Finally, if you have a DSA signing key (most people do) you are 
> required to use either SHA-1 or RIPEMD/160.  RSA signing keys can use 
> any hash.

there's more to it than that. openPGP specifies SHA-1 (and nothing else) 
as the hash used to generate key fingerprints, and is what key IDs are 
derived from.

a real threat if this can be extended into a practical attack is 
substituting a key with a *different* key having the same ID and 
fingerprint. it would be difficult for average users (and impossible for 
the current openPGP infrastructure) to tell bob's key from mallory's key 
that claims to be bob's.

it can also be used (if the attack becomes practical) to forge key 
signatures. mallory can create a bogus key and "sign" it with anyone's 
real key. this would turn the web of trust into dust.

the openPGP spec seemed to have assumed that SHA-1 just wouldn't fail. 
ever. this was the same mistake made in the original version of pgp that 
relied on md5. the spec needs to allow a choice of hash algorithms for 
fingerprints and key IDs, or else we'll play this game every time someone 
breaks a strong hash algorithm.

- -- 

  PGP key -
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	"Any sufficiently advanced technology
 	 is indistinguishable from magic."
 		-- Arthur C. Clarke

Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?


More information about the Gnupg-users mailing list