why is SHA1 used? How do I get SHA256 to be used?

Robert J. Hansen rjh at sixdemonbag.org
Wed Jul 11 02:15:32 CEST 2012


On 7/10/2012 7:59 PM, brian m. carlson wrote:
> SHA-1 is considered cryptographically broken.  It does not provide 
> the level of security it claims.

Yes.  This is not the same as being *insecure*, though, which is what
was claimed.  Moving from "cryptographically broken" to "insecure/dead"
is about as large a step as going from "nothing" to "cryptographically
broken."

MD5 was cryptographically broken in 1996.  We didn't see major practical
results against it until 2005 or so, and NIST didn't declare it to be
dead and should no longer be used until 2010.  There's some serious
lag time there.  SHA-1 will likely not have as long of a lag time, but
let's not go about pretending there is no lag time or that the lag time
has already elapsed.

There tends to be a lot of scaremongering in the world of crypto.  I
think it's generally wise to be careful in our declarations.  It is
enough to say SHA-1 is known to not meet its design specifications and
that some fairly devastating attacks against it will likely be coming
along in the near future.  That's already a good enough reason to reduce
our usage of and dependency upon SHA-1.  There's no need to fearmonger
about how the algorithm has already collapsed, because it hasn't.

> Practically, collisions can be generated for 75 of the 80 rounds[0].

Right now, only random collisions can be generated.  That's not any use
in forging a signature, which requires a preimage collision.  A
cryptographic break is not the same as a practical exploit.

> I don't generate signatures with algorithms I consider insecure 
> because that leads to people being able to forge signatures in my 
> name.

Then you need to stop using OpenPGP altogether, because you're already
generating SHA-1 signatures with your certificate which can be lifted
and dropped onto new messages if/when a preimage attack is introduced
against SHA-1.

Let me make this really clear: if you believe SHA-1 is insecure, you
believe OpenPGP is insecure and you should stop using it.  SHA-1 is
hardwired into the OpenPGP spec in a few different places and, as of
right now, cannot really be removed.  The new V5 key format will almost
certainly change this, but V5 won't be coming out for a good long while yet.

> If I use MD5, even for one message, that allows a moderately 
> determined attacker to replay that signature on what is likely to 
> become a fairly large set of messages.  I'd rather avoid that, thank
>  you.

You've *already done this*.

If you truly believe this, stop using OpenPGP.



More information about the Gnupg-users mailing list