Use other hash than SHA-1

David Shaw dshaw at jabberwocky.com
Mon May 4 04:56:24 CEST 2009 

On May 3, 2009, at 8:17 AM, Simon Ruderich wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote:
>> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
>>
>> The short answer is that you can only use a 160-bit hash with your
>> default DSA key.  That means SHA-1 or RIPEMD/160.  There is a  
>> feature you
>> can enable (--enable-dsa2) that will allow you to use a bigger hash  
>> -- but
>> you can still only use 160 bits worth of it.  So if you use SHA-256,
>> you're actually only taking 160 bits worth of it and discarding the  
>> rest.
>>
>> To truly use all of a larger hash, you need to either use a RSA key  
>> or a
>> large (not default) DSA key (i.e. generated with --enable-dsa2  
>> switched
>> on, and a larger size than 1024 bits selected).
>>
>> David
>
> Hi,
>
> Thanks for your reply. As it looks like SHA-1 is not so secure
> anymore I want to switch to something stronger, e.g. SHA-256.
> What is best way (for a normal user like me) to do this? The
> solution should be as compatible as possible (I think I read
> - --enable-dsa2 doesn't work with some clients).

> I often read I should stick with the defaults but as SHA-1 has
> it's problems I would prefer a "better" hash; and this doesn't
> seem to work with the defaults.

It's always good advice to stick to the defaults, but it's possible in  
this case that it's time to change the defaults.

In the meantime, while the defaults are being pondered, if your  
current primary key is a 1024-bit DSA key (it'll say "pub 1024D" when  
you do a key listing), then you should consider migrating to something  
else.  That "something else" can either be a DSA key that is larger  
than 1024 bits (often called "DSA2") or an RSA key that is larger than  
1024 bits.   Different people have different opinions on which is a  
better choice and there is no one right answer.  For what it's worth,  
I personally favor RSA as RSA+SHA-256 has been around longer than  
DSA2+SHA-256 and is therefore somewhat more widely supported over the  
various OpenPGP clients out there, but DSA2 has some good things about  
it, particularly that the signatures are physically smaller, and thus  
aren't as intrusive over email.

It's important to remember that this isn't a completely SHA-1 free  
key, as that is not currently possible in the OpenPGP protocol, but it  
is possible to make a "use as little SHA-1 as possible key".

The way to make the new key is a little bit fussy, I'm afraid, as the  
defaults in GPG are sort of built for SHA-1.

If you want a DSA2 key:

   gpg --enable-dsa2 --gen-key

Select option 1, and enter 3072 for the DSA key size.  Hit enter.   
Then enter a key size for the encryption subkey.  The default (2048)  
is fine.

If you want an RSA key:

  gpg --cert-digest-algo sha256 --gen-key

Select option 5.  Enter a RSA key size.  The default (2048) is fine.   
Finish generating the key as usual, then type:

  gpg --cert-digest-algo sha256 --edit-key (yourkey)
  addkey
  6

Enter a keysize for the subkey.  Again, the default (2048) is fine.

For either case, finish up by sticking "personal-digest-preferences  
sha256" in your gpg.conf file.

The end result will be a key that does not use SHA-1 either in its  
internal construction or in signatures it makes elsewhere.  Keep in  
mind that there are some clients out there that simply cannot cope  
with this key and will reject it with one failure message or another.   
The most recent versions of either PGP or GPG can handle it just fine.

David

More information about the Gnupg-users mailing list