phasing out SHA1 for digest creation
Bruce Walzer
bwalzer at 59.ca
Thu Dec 5 23:59:00 CET 2024
On Thu, Dec 05, 2024 at 06:13:44PM +0100, Rainer Perske wrote:
[...]
> See https://shattered.io
I was referring to something like Shattered in my previous comment. I
thought Shattered was about signing keys not documents.
> Attacker takes the good document and the bad document with the same hash.
> Attacker asks victim to sign the good document.
Then the victim signs the document with SHA-256. Why would the victim
use SHA-1? It might be reasonable to prevent the use of SHA-1 for new
signatures, but isn't that already the case in practice? Here is the
preference list of digest hashes I got by default on a 4 year old key:
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Does the problem somehow exist for very old keys?
At any rate, if an attacker actually ever did something like this,
presumably the victim would know they did not actually sign the
document. If it turned out that SHA-1 was used then we could look at
the document to see where the SHA-1 collision prefix was hidden. If
there was a fraud then legal action could be initiated based on strong
proof of a forgery. Appropriate countermeasures could be discussed to
prevent the signing of new documents Using SHA-1. For now, this is a
non-issue.
Bruce
More information about the Gnupg-devel
mailing list