SHA1 broken?

Atom Smasher atom at smasher.org
Wed Feb 16 18:20:52 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 16 Feb 2005, David Shaw wrote:

> Without more information, it looks to me like we are now in the position 
> we were in with MD5 several years ago.  It's not broken in practical 
> terms yet.  Attacks don't get worse over time, of course, so we need to 
> start moving to something better.  SHA-1 was already being phased out: 
> http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp
>
> To be sure, this is bad, but the sky isn't falling yet.
===============

agreed. my point is really that the fingerprint/ID hash algo shouldn't be 
carved in stone. like most other parts of the openPGP spec, it should be 
flexible and user defined (within certain constraints). as time goes by, 
strong algorithms are proven to be not as strong as originally thought. 
this has happened to MD5, is now happening to SHA-1, and will just as 
likely happen to the next generation of hash algorithms. the spec needs to 
adapt to this landscape, not be re-written every time a hash is broken.

the spec has it right where the digest and cipher algorithms are 
concerned, and that needs to be adapted to fingerprints and key IDs.


- -- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"I've always thought that underpopulated countries in
 	 Africa are vastly under-polluted."
 		-- Lawrence Summers,
 		chief economist of the World Bank,
 		explaining why we should export toxic wastes
 		to Third World countries

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJCE4D6AAoJEAx/d+cTpVci2BwIAJaMmw4NGLCEzaTOC6fTqRit
7ymuHFsmGkXScFFnB6V3ELV4PFQEvY0tyw+3ZgFXEYX4/67q/UPQxHpNHzHjjMn8
w/tp7qgKEE6/PKRWsUBJBaXIyZ/6TYmdZIX0XlkJcW2/b2lWWVvo8FcxJ+FjsU+W
zBY6YrlFMbn+3f08A8lWp3JUVK1L8iZLaC8fiZ46UpJWnE4Idwt+V5RAGTrocaQR
CYCcT8TSl27xMAWHJWcLM5dXnrxOP6fpLCUOhSvR1+YrfnhoWZJRP5rEzA6WPRZi
IWTQpy0UmkTqECEtgOcXJOYSYmLEcOScFrw7Hn9j5xeO5U6hioEo/AvF70L1/lc=
=v9e1
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list