Use other hash than SHA-1
dshaw at jabberwocky.com
Mon May 4 04:56:24 CEST 2009
On May 3, 2009, at 8:17 AM, Simon Ruderich wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote:
>> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
>> The short answer is that you can only use a 160-bit hash with your
>> default DSA key. That means SHA-1 or RIPEMD/160. There is a
>> feature you
>> can enable (--enable-dsa2) that will allow you to use a bigger hash
>> -- but
>> you can still only use 160 bits worth of it. So if you use SHA-256,
>> you're actually only taking 160 bits worth of it and discarding the
>> To truly use all of a larger hash, you need to either use a RSA key
>> or a
>> large (not default) DSA key (i.e. generated with --enable-dsa2
>> on, and a larger size than 1024 bits selected).
> Thanks for your reply. As it looks like SHA-1 is not so secure
> anymore I want to switch to something stronger, e.g. SHA-256.
> What is best way (for a normal user like me) to do this? The
> solution should be as compatible as possible (I think I read
> - --enable-dsa2 doesn't work with some clients).
> I often read I should stick with the defaults but as SHA-1 has
> it's problems I would prefer a "better" hash; and this doesn't
> seem to work with the defaults.
It's always good advice to stick to the defaults, but it's possible in
this case that it's time to change the defaults.
In the meantime, while the defaults are being pondered, if your
current primary key is a 1024-bit DSA key (it'll say "pub 1024D" when
you do a key listing), then you should consider migrating to something
else. That "something else" can either be a DSA key that is larger
than 1024 bits (often called "DSA2") or an RSA key that is larger than
1024 bits. Different people have different opinions on which is a
better choice and there is no one right answer. For what it's worth,
I personally favor RSA as RSA+SHA-256 has been around longer than
DSA2+SHA-256 and is therefore somewhat more widely supported over the
various OpenPGP clients out there, but DSA2 has some good things about
it, particularly that the signatures are physically smaller, and thus
aren't as intrusive over email.
It's important to remember that this isn't a completely SHA-1 free
key, as that is not currently possible in the OpenPGP protocol, but it
is possible to make a "use as little SHA-1 as possible key".
The way to make the new key is a little bit fussy, I'm afraid, as the
defaults in GPG are sort of built for SHA-1.
If you want a DSA2 key:
gpg --enable-dsa2 --gen-key
Select option 1, and enter 3072 for the DSA key size. Hit enter.
Then enter a key size for the encryption subkey. The default (2048)
If you want an RSA key:
gpg --cert-digest-algo sha256 --gen-key
Select option 5. Enter a RSA key size. The default (2048) is fine.
Finish generating the key as usual, then type:
gpg --cert-digest-algo sha256 --edit-key (yourkey)
Enter a keysize for the subkey. Again, the default (2048) is fine.
For either case, finish up by sticking "personal-digest-preferences
sha256" in your gpg.conf file.
The end result will be a key that does not use SHA-1 either in its
internal construction or in signatures it makes elsewhere. Keep in
mind that there are some clients out there that simply cannot cope
with this key and will reject it with one failure message or another.
The most recent versions of either PGP or GPG can handle it just fine.
More information about the Gnupg-users