howto secure older keys after the recent attacks

David Shaw dshaw at jabberwocky.com
Thu Sep 10 03:45:45 CEST 2009


On Sep 9, 2009, at 6:43 PM, Philippe Cerfon wrote:

> Hi.
>
> Now something more realistic and pracitcal.
>
> I'm using gpg for anonymous but secured communication together with  
> some of my friends for some years now....
> Recently I've read on severa attacks on SHA1 and AES256 that could  
> also affect gpg and its keys.
>
> So waht I'd like to see is some step by step howto on securing older  
> keys (written by some expert probably ;-) ).

[..]

> As far as I understand thise means:
> - The signatures on them are created with SHA1
> - The differ in preferred algorihtms for hashes and compression
>
> Well...
> - It seems that I can easily change these preferences via gpg --edit- 
> key,.. so I could simply remove e.g. SHA1

Yes, but it won't actually go away completely.  SHA1 is special in  
OpenPGP.  Unlike the other hashes, SHA1 is required to be supported.   
Removing SHA1 from an OpenPGP preference list doesn't actually remove  
it, but instead effectively puts it at the end of the list (so it is  
the lowest ranked choice).

> -But I'd also like to have the signatures themselves using e.g.  
> SHA256 or SHA512,... but they're alread using SHA1
> Can this be changed?
> Or can I simply add new self signatures?

Yes

> And if I do so the old ones would still be on the keyservers, right?  
> And no way to delete them.

Yes

> So does this mean any harm to me? At some day SHA1 might be fully  
> broken, and then an attacker could use simply these older self  
> signatures instead of the newer ones, or not?

Well, yes and no.  Old signatures are certainly available to both  
friend and foe, but the real question is: use them for what?  What  
attack are you concerned about here?

> Or should I better start with a fresh key without any old signatures?

No need.  If you had a DSA key, I might suggest changing keys, but you  
have an RSA key, and are thus free to use whatever hash you please.

To change the hash you sign with, stick this in your gpg.conf file:

personal-digest-preferences sha256

Feel free to list whatever hashes you like here.  GPG will rank them  
in that order.

> Another thing I've read about is, that gpg keys are using SHA1 hard  
> coded in some places with no way to use another algortihm... which  
> places are these so one could avoid them perhaps?

You pretty much can't.  The key ID itself is derived from SHA1.

There was a very long discussion of the SHA1 issue a few months back  
on this list.  See, for example, http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036338.html 
  and http://lists.gnupg.org/pipermail/gnupg-devel/2009-May/024999.html

In short, I wouldn't worry all that much about it.

With regards to AES256, I doubly wouldn't worry about it.  See http://lists.gnupg.org/pipermail/gnupg-users/2009-August/037107.html

This sort of question tends to cause long threads where everyone  
throws in their own cipher preferences.  Instead of giving my  
preferences, allow me to point at the wonderful defaults in GPG.   
They're the default algorithms for a reason.

David




More information about the Gnupg-users mailing list