SHA1 collision found

Christoph Anton Mitterer calestyo at scientia.net
Fri Feb 24 00:39:17 CET 2017 

On Thu, 2017-02-23 at 13:58 -0500, Robert J. Hansen wrote:
> > "Migrating to SHA256"
> section in
> the FAQ?

What I always kinda wonder is, why crypto or security experts, at least
in some sense never seem to learn.
When MD5 got it's first scratches, some people started to demanded for
it's ASAP retirement (which didn't happen... partially also with
arguments that it's not yet broken for these and that purposes in
practise)... in the end people waited so long until it was in a way
already too late.
Remember the forged MD5 based X509 cert? And this was made by some
"good guys" god know how many actual attacks may have been driven by
much stronger organisations where people actually were harmed in the
end.

SHA1 may have been phased out (more or less) in the X.509 world, but
it's still pretty present in many other places.
It's known to having issues for some years and for the same number of
years many experts still defended it as not being broken for these and
that use cases...
And now were again in the situation that it's still used in production
(probably for years to come), and we have at least a collision.
That may not be the one big fire alert where everything burns down...
but it should be really a ringing bell...


Now every time when new algos come up or e.g. when ideas for the next
OpenPGP version is started,.. a big bunch of experts seem to go for the
most conservative way possible. And I'm not talking about the good
conservatism (i.e. using algos based on long standing and well
understood math)... but rather things like let's better not use SHA512
or SHA3 when we could also just use SHA256... let's better not specify
large curves when we can go by a much smaller one.

And every time the same argument is brought up, that these would be
still way enough to take hundreds of years to be cracked... but so far
(as with SHA1) it was always broken much earlier.


The last time when I followed discussion about the next OpenPGP it
seemed people rather wanted to hard-wire only a few algos for
everything, which would be just the same problem as with SHA1,...
instead all algos should be pretty easily exchangeable.
So when the same happens for the next OpenPGP version just with SHA256
I'll bet that we face the same problems with SHA256 far earlier than
everyone wishes.


Not to talk about the more and more realistic threat posed by quantum
computers.


IMO we should rather go for the stronger algos, or even combine algos
when this makes sense because their underlying math is different that
breaking one would still not directly affect the other.
And we should rather make any crypto algo as easily exchangeable as
possible.


Cheers,
Chris.

More information about the Gnupg-users mailing list