Confusion with signature digest type.
Robert J. Hansen
rjh at sixdemonbag.org
Fri Apr 26 20:54:10 CEST 2013
On 4/26/2013 12:18 PM, Mason Loring Bliss wrote:
> While I agree with what you're saying, the big difference between this
> situation and your example is that it's trivially easy for me to say "use
> this digest method instead of this other one" and then forget about it.
Sure: but what does it gain you? The answer would seem to be, "on the
balance of probabilities, virtually nothing."
All the hash algorithms in OpenPGP are mathematically similar. They're
all built around Merkle-Damgard constructions. History shows us that
when there's a successful attack against one Merkle-Damgard
construction, quite often this attack spurs new equivalent attacks
against other hashes in the Merkle-Damgard family. This is one of the
reasons why so few people recommend RIPEMD-160, for instance: despite
the fact that there are no effective attacks against it, the consensus
opinion seems to be that RIPEMD-160 is just too similar to SHA-1 and MD5
for there to be real confidence in it.
Let me repeat: *all* the hash algorithms in OpenPGP are Merkle-Damgards.
So if there's not just a collision attack against SHA-1, but a preimage
attack, well... are you really going to have any confidence in your
signatures just because you're using SHA-256? I wouldn't. A preimage
attack on SHA-1 would tell me the entirety of the Merkle-Damgard family
is suspect and I need to stop using them immediately.
> Security is about nudging up the bar.
Yes: and is what you're talking about really a nudge? Or is it an act
that appears to be a nudge, while in reality achieving effectively zero?
(Note that I'm not expressing doubt. You're the one who knows your
threat model, not me. If you tell me that yes, this is a real nudge up,
then that settles the question. I'm only raising a question: I am
entirely apathetic as to the answer.)
More information about the Gnupg-users