Avoid recipient-compatibility SHA1

Stefan Claas spam.trap.mailing.lists at gmail.com
Wed Nov 18 14:30:12 CET 2020

On Tue, Nov 17, 2020 at 11:11 PM Ernst G Giessmann via Gnupg-users
<gnupg-users at gnupg.org> wrote:
> The answer to the second question is:
> A SHA-1 collision of two documents D1 and D2 means that the hash values
> Hash(D1) and Hash(D2) are equal, which in turn means that (regardless
> who signs) any signature of D1 (be it OpenPGP or SMIME) can also be used
> as a signature of D2. Any signer and any key, if used with SHA-1!
> So if you got a harmless document D to sign, you must be sure that there
> is no evil twin of it. This is usually the case if you are the author of
> D, because the construction of an evil twin remains hard. But it is easy
> to construct docs with the same hash value.
> /Ernst.

Thanks for your reply! So if I check the SHA1 checksums
from https://gnupg.org/download/integrity_check.html
and Alice checks from another evil site the same files then we
could have a problem with tools like openssl or the shasum tool.

But, sorry to ask again.

I like to give an Example.

Mallory has managed to listen to the clear text communications from
Alice and Bob's online devices. Alice and Bob always use GnuPG
to digitally sign their messages.

Mallory is *not* in possession of the private keys from Alice and Bob.
Mallory has created a document which causes a collision and was
signed with his own key.

He sends this message to Alice. What does Alice see when she
does a gpg --verify? I mean she should see, regardless if the
message has a collision or not, that the message was digitally
signed by Mallory's private key and not by Bob's private key.


More information about the Gnupg-users mailing list