migration paths from SHA-1 [was: Re: idea.dll]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jun 27 16:24:54 CEST 2012
On 06/27/2012 09:11 AM, Robert J. Hansen wrote:
> On 6/26/2012 3:22 AM, Werner Koch wrote:
>> This is very different in OpenPGP. SHA-1 is not used everywhere; its
>> main use is for the fingerprint, this will eventually be a problem.
> I am not so sanguine. Marc Stevens claims  he has a working
> collision requiring 2**57 compressions: that number is low enough to
> make my hair stand on end. He also says he knows how to make it faster,
> and he's been curiously silent on the subject for the last year and a
> half. I think "eventually" is going to come sooner than we think.
For the key's fingerprint specifically, a pre-image (where the attacker
crafts a new text that shares a digest with the victim's key material)
is the thing to worry about, not a crafted collision (where the attacker
generates two texts that share a digest).
My read of  is that the attack is a collision technique, not a
pre-image technique, which would imply that "eventually" is still
actually a little ways off for fingerprints at least.
> Werner wrote:
>> Everywhere else we are already using SHA-2.
Not by default. In testing today with an empty profile, gpg 1.4.12
still defaults to making key certifications (where the attacker controls
the digested material completely) and data signature with SHA1. These
are areas where a successful collision attack can do serious harm.
i'd be happy to see gpg migrate to defaults of SHA-256 for data
signatures and key certifications; these digests have been available to
users (of both GPG and PGP) for many years now. I've been using SHA-512
for my data signatures and key certifications for a few years and have
never gotten a complaint.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users