phasing out SHA1 for digest creation
Werner Koch
wk at gnupg.org
Sat Dec 7 14:50:57 CET 2024
Hi!
On Fri, 6 Dec 2024 19:42, Jacob Bachmeyer said:
> Does GPG already do this? If not, can this message count as a feature
> request for secure nonces in signatures? Even 64 bits should be
The suggestion with hashing a nonce is to mitigate a specific way to
create collisions. OTOH, an arbitrary random nonce allows to change the
data in an undetectable way - maybe even to create such a collision.
Even worse, a random nonce adds a covert channel to a signed message.
This needs to be avoided in sensitive areas where encryption is not
allowed for exactly that reason. In particular that new IETF OpenPGP
specification introduced a mandatory random salt, despite the counter
arguments that if this will be added the salt must not be random but be
derive from other information. Some people obviously want to have this
covert channel in signatures.
A nonce, actually salt, can be introduced in a compatible way with
signature subpackets and maybe extra rules to place that salt as the
first subpacket. Of course the salt needs to be computed from other
info.
Anyway, there are no signs that SHA-256 can be attacked in a similar
way as SHA-1. The SHA3 development process clearly showed that
SHA256, SHA384, SHA512 are safe choices.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241207/3c988c01/attachment.sig>
More information about the Gnupg-devel
mailing list