RSA // OAEP // SHA-1

vedaal at vedaal at
Wed Jan 30 21:50:14 CET 2013

On Wednesday, January 30, 2013 at 3:28 PM, "Michel Messerschmidt" <lists at> wrote:

>Although it is the default, RFC 3447 is not restricted to SHA-1.
>Appendix B actually states:
>"For the RSAES-OAEP encryption scheme and EMSA-PSS encoding 
>only SHA-1 and SHA-256/384/512 are recommended."

Which would mean that GnuPG wouldn't need any overhaul of standards to move from a default of SHA-1 to SHA-256,
(although it might involve making changes to the crypto library that GnuPG uses for RSA).

After thinking about it some more, though, it doesn't seem like much of a threat to continue SHA-1,
(or at least, less important for GnuPG to concern itself, than with the SHA-1 involved in the fingerprint.)

GnuPg uses RSA padding  only to encrypt and decrypt the random session key.
All other encryption is done by symmetric algorithms and doesn't involve RSA and its padding.

As the session key is random, it isn't vulnerable to a plain-text attack, and might not need any padding at all,
and so, the hash function used for the padding isn't such an issue...

Sorry to take up the time needlessly.


More information about the Gnupg-users mailing list