migration paths from SHA-1 [was: Re: idea.dll]

Robert J. Hansen rjh at sixdemonbag.org
Wed Jun 27 16:32:03 CEST 2012

On 6/27/2012 10:24 AM, Daniel Kahn Gillmor wrote:
> For the key's fingerprint specifically, a pre-image (where the attacker
> crafts a new text that shares a digest with the victim's key material)
> is the thing to worry about, not a crafted collision (where the attacker
> generates two texts that share a digest).

Yes.  And this is exactly what I heard in 2005 from people who were
dismissing the MD5 collision attacks as, "well, you know, they're not
preimages."  It didn't take long to go from that to full-on attacks on
MD5.  I expect the same will occur here.

> My read of [1] is that the attack is a collision technique, not a
> pre-image technique, which would imply that "eventually" is still
> actually a little ways off for fingerprints at least.

If by "a little ways off" you mean anywhere between six months to a few
years, then yes, that's reasonable.

I don't expect SHA-1 to fall over dead this afternoon, but the
chaplain's been summoned to its room to deliver the Last Rites.

More information about the Gnupg-users mailing list