phasing out SHA1 for digest creation

Rainer Perske rainer.perske at uni-muenster.de
Sat Dec 7 13:20:31 CET 2024 

Hello.

> As I understand, one bit is enough to destroy a tediously prepared collision

If the attacker can prepare one collision, he can also prepare multiple sets collisions.
It only adds some amount of complexity to the attack.

> and Wiktor noted that PGP includes a timestamp (to one second) in the signed data

Timestamps are not random bits. An attacker can set up a situation where the victim will create the signature in a very short time window, and prepare accordingly.

If you need randomness, use real randomness.

> and the protocol allows implementations to add more data to the signature.

Of course there are countermeasures. But they cannot fully compensate weaknesses of the hash algorithm. (If they were, no cryptographic hash algorithm would be needed at all.)

To guide this discussion back to the origin:

B. W. thought that there is no way to launch a collision attack against signatures.

J. B. thought that modifying one bit would be enough protection.

J. B. also thought that including a timestamp would add to security in this situation.

I only want to illustrate kindly with examples why these thoughts are wrong, so that you do not make unsafe decisions based on these – very human – mistakes. (Absolutely no offense intended: I myself make similar mistakes far too often ... :-) )

Kind regards
-- 
Rainer Perske
Systemdienste + Leiter der Zertifizierungsstelle (UCAM)
-- 
Universität Münster
CIT - Center for Information Technology
Rainer Perske, Systemdienste
Röntgenstraße 7-13, Raum 006
48149 Münster
Tel.: +49 251 83-31582
E-Mail: rainer.perske at uni-muenster.de
Website: www.uni-muenster.de/IT

Universitätszertifizierungsstelle Münster (UCAM):
Tel.: +49 251 83-31590
E-Mail: ca at uni-muenster.de
WWW: www.uni-muenster.de/CA

YouTube: youtube.com/@uni_muenster
Instagram: instagram.com/uni_muenster
LinkedIn: linkedin.com/school/university-of-muenster
Facebook: facebook.com/unimuenster
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6319 bytes
Desc: S/MIME cryptographic signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241207/61d70b75/attachment-0001.bin>

More information about the Gnupg-devel mailing list