phasing out SHA1 for digest creation

Bernhard Reiter bernhard at intevation.de
Thu Dec 5 11:37:44 CET 2024 

Hi Werner,

last year in March 2023 you wrote in
   https://dev.gnupg.org/T6433

to the question
> > Is there some plan to disable SHA-1 signatures by including this in the 
weak algorithms list in close future?
> No, it would break the verification of too many signatures.

Just rereading
  https://www.gnupg.org/faq/weak-digest-algos.html
> Although the SHA-1 algorithm shows signs of weaknesses as well,
> it is still very hard and time consuming to create collisions.
> Mounting a pre-image attack is still far out of reach.   

Wikipedia has
>  As of 2020, chosen-prefix attacks against SHA-1 are practical.[6][8]

[6] 
https://www.ntu.edu.sg/news/detail/critical-flaw-demonstrated-in-common-digital-security-algorithm
| [‘chosen-prefix collision attack]
| using a cluster of 900 GPUs running for two months,
| the pair have successfully  demonstrated their way to break the SHA-1
| algorithm using this attack 

[8] is the same research result, adding costs
|  using 900 Nvidia GTX 1060 GPUs (we paid US$ 75k

and machines got faster.

Is the statement of https://www.gnupg.org/faq/weak-digest-algos.html
for 2025 still current?  It feels outdated.



This page is not linked from 
https://www.gnupg.org/faq/gnupg-faq.html
so maybe it should have been deleted already. I suggest to delete it.

I also suggest to change the default to not create SHA1 message digest
by default anymore, unless and option is given. (And update 
https://dev.gnupg.org/T6433)

As for verification, how many signatures would be affected,
do we have any ideas since when no new signatures with SHA1 digests
are created? Maybe adding a depreciation warning is another path?
It has been more than 18th months since March 2023. :)

NIST aims to phase out SHA1 until 2030 (if Wikipedia is right), I think this 
means old signatures.

In short, there should be a plan.

Best Regards,
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241205/cb5f697d/attachment.sig>

More information about the Gnupg-devel mailing list