Use other hash than SHA-1
David Shaw
dshaw at jabberwocky.com
Sat May 2 21:14:50 CEST 2009
On May 2, 2009, at 10:47 AM, Raimar Sandner wrote:
> On Saturday 02 May 2009 15:45:11 David Shaw wrote:
>> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
>>> I would like to use a different hash than SHA-1. I tried setting
>>> personal-digest-preferences SHA256 in my gpg.conf but it didn't
>>> work. What hash can I use with my key (default DSA/Elgamel key)
>>> and how?
>>
>> The short answer is that you can only use a 160-bit hash with your
>> default DSA key. That means SHA-1 or RIPEMD/160. There is a feature
>> you can enable (--enable-dsa2) that will allow you to use a bigger
>> hash -- but you can still only use 160 bits worth of it. So if you
>> use SHA-256, you're actually only taking 160 bits worth of it and
>> discarding the rest.
>>
>> To truly use all of a larger hash, you need to either use a RSA key
>> or
>> a large (not default) DSA key (i.e. generated with --enable-dsa2
>> switched on, and a larger size than 1024 bits selected).
>
> SHA256 is included in the default pref list even for a regular DSA
> key. Is
> that because my own key is not involved when verifying a signature,
> and gnupg
> could verify a SHA256 hash created by someone with a RSA or DSA2 key?
Yes.
> Is it therefore reasonable to have SHA256 in first place of the key
> preferences, even for a regular DSA key?
Yes. (You can place it anywhere you like, depending on how highly you
rank it).
David
More information about the Gnupg-users
mailing list