howto secure older keys after the recent attacks
dshaw at jabberwocky.com
Thu Sep 10 03:45:45 CEST 2009
On Sep 9, 2009, at 6:43 PM, Philippe Cerfon wrote:
> Now something more realistic and pracitcal.
> I'm using gpg for anonymous but secured communication together with
> some of my friends for some years now....
> Recently I've read on severa attacks on SHA1 and AES256 that could
> also affect gpg and its keys.
> So waht I'd like to see is some step by step howto on securing older
> keys (written by some expert probably ;-) ).
> As far as I understand thise means:
> - The signatures on them are created with SHA1
> - The differ in preferred algorihtms for hashes and compression
> - It seems that I can easily change these preferences via gpg --edit-
> key,.. so I could simply remove e.g. SHA1
Yes, but it won't actually go away completely. SHA1 is special in
OpenPGP. Unlike the other hashes, SHA1 is required to be supported.
Removing SHA1 from an OpenPGP preference list doesn't actually remove
it, but instead effectively puts it at the end of the list (so it is
the lowest ranked choice).
> -But I'd also like to have the signatures themselves using e.g.
> SHA256 or SHA512,... but they're alread using SHA1
> Can this be changed?
> Or can I simply add new self signatures?
> And if I do so the old ones would still be on the keyservers, right?
> And no way to delete them.
> So does this mean any harm to me? At some day SHA1 might be fully
> broken, and then an attacker could use simply these older self
> signatures instead of the newer ones, or not?
Well, yes and no. Old signatures are certainly available to both
friend and foe, but the real question is: use them for what? What
attack are you concerned about here?
> Or should I better start with a fresh key without any old signatures?
No need. If you had a DSA key, I might suggest changing keys, but you
have an RSA key, and are thus free to use whatever hash you please.
To change the hash you sign with, stick this in your gpg.conf file:
Feel free to list whatever hashes you like here. GPG will rank them
in that order.
> Another thing I've read about is, that gpg keys are using SHA1 hard
> coded in some places with no way to use another algortihm... which
> places are these so one could avoid them perhaps?
You pretty much can't. The key ID itself is derived from SHA1.
There was a very long discussion of the SHA1 issue a few months back
on this list. See, for example, http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036338.html
In short, I wouldn't worry all that much about it.
With regards to AES256, I doubly wouldn't worry about it. See http://lists.gnupg.org/pipermail/gnupg-users/2009-August/037107.html
This sort of question tends to cause long threads where everyone
throws in their own cipher preferences. Instead of giving my
preferences, allow me to point at the wonderful defaults in GPG.
They're the default algorithms for a reason.
More information about the Gnupg-users