phasing out SHA1 for digest creation
Jacob Bachmeyer
jcb62281 at gmail.com
Sat Dec 7 02:42:08 CET 2024
On 12/6/24 02:11, Wiktor Kwapisiewicz via Gnupg-devel wrote:
> On 6.12.2024 01:54, Jacob Bachmeyer via Gnupg-devel wrote:
>> This could be as simple as including a nonce in the signature.
>
> Just for the record, due to the way of how OpenPGP hashes files,
> there's plenty of other metadata influencing the final hash e.g.
> signature creation time (I guess it's rather improbable that the
> attacker would control that up to a second precision; it's not a high
> entropy data though; also: some implementations embed nonce data in
> notations).
So PGP is already resistant to such attacks and can be made entirely
immune by simply adding a nonce to the signature, which the protocol
already allows?
Does GPG already do this? If not, can this message count as a feature
request for secure nonces in signatures? Even 64 bits should be enough
to guard against collision-based forgeries, but I would suggest a nonce
length equal to one half of the digest length.
(I initially wanted to propose making the nonce length equal to the
digest length, but the pigeonhole principle suggests that a nonce that
long *might* make signatures malleable with enough computation---an
attacker *might* be able to use the nonce field to make a signature
"fit" a different document hash. I do not know if factoring a 4096-bit
RSA key would be easier---I would expect such an attack to be
computationally infeasible.)
Alternately, for the next PGP protocol version, including a nonce N in
the calculation of the digest H and also signing {N,H} instead of just H
should allow longer nonces without risking the signature integrity. (I
wonder if the SSH developers were thinking along those lines...)
-- Jacob
More information about the Gnupg-devel
mailing list