SHA1 collision found
peter at digitalbrains.com
Thu Feb 23 19:48:13 CET 2017
On 23/02/17 19:24, sivmu at web.de wrote:
> As this is currently not applicable in practice, I would like to know
> what this new development means for pgp-gnupg and the use of SHA1 for
> key identification.
I already answered that here. The use of SHA-1 in fingerprints is not
susceptible to a collision attack, so it's still safe. SHA-1 in
fingerprints is only susceptible to a second-preimage attack which is
much harder than a collision attack and unheard of for SHA-1.
> After researching how the fingerprint is generated, I think it would
> be easy to include a new option in gnupg to print a fingerprint using
> sha256. Would that be something that will/can be included in future
> versions of gnupg?
It wouldn't help because of all the places SHA-1 is used internally if
you just change how it is displayed to the user. Disclaimer: I'm not a
developer, but this is my understanding of it. I can't say for sure.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users