howto secure older keys after the recent attacks
philcerf at googlemail.com
Thu Sep 10 23:38:58 CEST 2009
On Thu, Sep 10, 2009 at 5:08 PM, David Shaw <dshaw at jabberwocky.com> wrote:
> The real headache here is (as always) the practical - what to do with
> existing keys and such. I suspect that removing SHA1 would effectively mean
> a new key type for OpenPGP (again, not a disaster - we're on our 4th key
> type today).
Ok,.. but then people would "loose" all their collected signatures on
their keys and to other keys :-(
> That isn't to say there aren't differences between systems - the FreeBSD
> PRNG (which seems to have been inherited by OSX) is of a fairly different
> construction than the Linux one, which has led to some mild controversy in
> the past. Notably, the Linux one blocks if you run out of gathered entropy,
> and the FreeBSD one does not. FreeBSD /dev/random is similar to Linux's
So I better use Linux and not FreeBSD ;)
> I'm not exactly sure what you mean by "hash algorithm armor". RSA in
> OpenPGP does have a additional protection (usually called a "hash firewall")
> that DSA lacks. This gives some protection against hash substitution
> attacks, but it's not a major deal either way.
Yeah,.. that's the issue I've meant...
> It's true that NIST's guidelines say that to truly get the maximum juice out
> of a 512-bit hash, you should use a 15360-bit key, but that doesn't mean you
> must. That overall strength of the system is the weakest point, so as long
> as that weakest point is strong enough, you're fine.
*still cannot believe, that I've remembered the exact number :-O *
More information about the Gnupg-users