Use other hash than SHA-1

David Shaw dshaw at jabberwocky.com
Fri May 8 02:09:31 CEST 2009


On May 7, 2009, at 7:17 PM, Christoph Anton Mitterer wrote:

> On Tue, 2009-05-05 at 22:16 -0400, David Shaw wrote:
>>> I'm not sure if this leads to the same discussion that we had some
>>> time
>>> ago on the WG-list (about explicitly revoking previous self- 
>>> sigs),...
>>> but if a key has self-sigs with different hash-algos,... does this
>>> "allow" downgrad-attacks or that like?
>>
>> It depends on the attack.  What is the attack you are concerned  
>> about?
>
> Nothing specific,... it was my question, whether there could be any
> attacks,.. using the fact, that an older self-sig with "weaker" hash
> algo is available.

It depends on what the attack is :)

One fear that I've seen talked about for SHA-1 is that an attacker can  
create a duplicate document such that if you signed document or key A,  
they could come up with a document or key B that your signature would  
equally apply to.  That fear is more than a little overblown.  Even  
MD5 hasn't been broken to that extent.

But for the sake of argument, let's say that this fear is realistic.   
In that case, it doesn't make much of a difference whether you re-sign  
or not.  If you do re-sign, the attacker can still get the earlier  
signature from a keyserver.  Even if you revoke it, the old signature  
is still there.

>>> Even when they see, that the self-sig with the "better" algo, has a
>>> newer creation date?
>>> Would consider this critical :/
>>
>> They mustn't do this.  They can't, really.  It would enable a pretty
>> trivial DoS if I could make up a bogus self-sig with some hash number
>> that isn't even allocated yet, but a later date, and send it to a
>> keyserver to be attached to my victim key.  GPG must treat any
>> signature that does not verify as irrelevant.
>
> Oops,.. of course you're right,.. but then it's possible,... that e.g.
> the newer self-sig (with the newer hash algo) contains e.g. a key
> revocation, or something else security relevant (e.g. important new
> policy).
> As the older signature is not revoked,.. and the newer is not  
> understood
> (thus ignored),... this could lead to problems, or am I wrong?

No, you are right.  When making an important statement about your key,  
and you want to make it with an algorithm that doesn't have widespread  
support yet, you do need to take into account that not everyone might  
be able to understand your new statement.  To them, it would be as if  
you had said nothing at all.

A key revocation is a perfect example of this.  You could end up with  
part of the community thinking you revoked your key and part thinking  
you did nothing.  Personally, if I was revoking a key, I'd use  
whatever hash algorithm I used for my self-sigs (using the logic that  
anyone who could use my key at all would see it was revoked, and that  
I don't particularly care if people who can't use my key at all  
(because they don't know that has) see if it is revoked or not).

David




More information about the Gnupg-users mailing list