Use other hash than SHA-1
Simon Ruderich
simon at ruderich.org
Sun May 3 14:17:03 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote:
> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
>
> The short answer is that you can only use a 160-bit hash with your
> default DSA key. That means SHA-1 or RIPEMD/160. There is a feature you
> can enable (--enable-dsa2) that will allow you to use a bigger hash -- but
> you can still only use 160 bits worth of it. So if you use SHA-256,
> you're actually only taking 160 bits worth of it and discarding the rest.
>
> To truly use all of a larger hash, you need to either use a RSA key or a
> large (not default) DSA key (i.e. generated with --enable-dsa2 switched
> on, and a larger size than 1024 bits selected).
>
> David
Hi,
Thanks for your reply. As it looks like SHA-1 is not so secure
anymore I want to switch to something stronger, e.g. SHA-256.
What is best way (for a normal user like me) to do this? The
solution should be as compatible as possible (I think I read
- --enable-dsa2 doesn't work with some clients).
I often read I should stick with the defaults but as SHA-1 has
it's problems I would prefer a "better" hash; and this doesn't
seem to work with the defaults.
Thanks,
Simon
- --
+ privacy is necessary
+ using http://gnupg.org
+ public key id: 0x6115F804EFB33229
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn9iz8ACgkQYRX4BO+zMilb8QCggjba5LS7wYh+JtKUokp0H2Kv
TWUAnjr/xfauGS3bq5rdv5LsLxr0mW+M
=rbFp
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list