howto secure older keys after the recent attacks

[Robert J. Hansen]

Philippe Cerfon wrote:
> What specifically do you mean? Crypto-stuff in banking etc.?

"Specifically"?  I don't have the time to list everywhere that will
break.  SHA-1 is used in a ton of places, and often not places you'd
immediately expect.  For instance, computer fuel injection timings are
controlled by software.  Auto enthusiasts would like to be able to
customize them, but can't.  If SHA-1 breaks, auto enthusiasts will be
able to forge their own signatures and deliver their own "updates" to
their engines.

Skype will potentially break.  Many P2P networks (including the ones
Skype is based upon) use a mathematical construct called a "distributed
hash table" to figure out how to route data.  If the hash algorithm is
bad, well, you're out of luck.

Filesystems will suffer.  There exist some filesystems that avoid
storing redundant data by tracking a hash of each file.  If the file
you're writing matches a hash that's already on the disk, the filesystem
just puts in a soft link.

That's three examples of things that will unexpectedly break if SHA-1
falls.  A complete laundry list would go for pages and pages and pages.
 I'd suggest reading comp.risks; they might have something on point.

> But attackers could still attack older data, that they intercepted, right?

No.

Imagine that in 2010, the OpenPGP Working Group publishes a new key
specification.  v5 keys use SHA256, not SHA1.  I revoke my current key
and migrate to a new v5 key.

In 2015, the SHA-1 attack becomes practical.  Someone goes back to my
old messages and lifts a signature off something I've written.  They
construct a new message that hashes out the same as my old message, and
put my old signature on a new message.  "Look, look!  He signed a
message in 2009 claiming that he'd pay me $1 million in 2015!  Pay up,
Mr. Hansen!"

No one would take such a forgery seriously.