Who protects the private key (was: Changing the encryption algorithm used for PGP/GPG private key)
Daniel Colquitt
hello at danielcolquitt.com
Sun Feb 20 09:30:36 CET 2022
> Has it really been that long? ... No, it has not been: a free-start
collision was
> found on the SHA-1 compression function in 2015, less than
> 7 years ago.
>
> As far as I know, a single collision pair ("SHAttered") has been produced,
> using about 9 months on a very large cluster, against the full SHA-1.
There is
> no comparison here to MD5, for example.
I used "broken" in the formal cryptographic sense - finding collisions
faster than brute force. Although SHAttered was the first public collision,
attacks capable of finding collisions far quicker than brute force have been
known since 2005<https://eprint.iacr.org/2007/474>
> Further, only collisions have been
> demonstrated so far, and if Mallory producing a colliding private key is a
> concern for you, you have bigger problems, like Mallory having provided
> your private key in the first place!
>
> It is also worth noting that SHA-1 is (as far as I know) only used as a
fancy
> checksum here to guard against data corruption. If Mallory even has
access
> to potentially replace your private key, you have bigger problems than
> potential weaknesses of the checksum on that key.
I agree with you, and Robert Hansen above, insofar as there is no practical
weakness in using SHA-1 as part of a key derivation algorithm. However, I
would argue that there is a serious problem with using SHA-1 to verify
digital signatures - but that is a matter for OpenPGP rather than GnuPG.
Nevertheless it does seem imprudent to use a formally broken hash function
by default, whilst silently ignoring options that users would reasonably
expect to change the algorithms used.
Dan
More information about the Gnupg-users
mailing list