SHA1 collision found
Peter Lebbing
peter at digitalbrains.com
Thu Feb 23 19:48:13 CET 2017
On 23/02/17 19:24, sivmu at web.de wrote:
> As this is currently not applicable in practice, I would like to know
> what this new development means for pgp-gnupg and the use of SHA1 for
> key identification.
I already answered that here[1]. The use of SHA-1 in fingerprints is not
susceptible to a collision attack, so it's still safe. SHA-1 in
fingerprints is only susceptible to a second-preimage attack which is
much harder than a collision attack and unheard of for SHA-1.
> After researching how the fingerprint is generated, I think it would
> be easy to include a new option in gnupg to print a fingerprint using
> sha256. Would that be something that will/can be included in future
> versions of gnupg?
It wouldn't help because of all the places SHA-1 is used internally if
you just change how it is displayed to the user. Disclaimer: I'm not a
developer, but this is my understanding of it. I can't say for sure.
HTH,
Peter.
[1] <https://lists.gnupg.org/pipermail/gnupg-users/2017-January/057547.html>
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170223/8442c26c/attachment-0001.sig>
More information about the Gnupg-users
mailing list