phasing out SHA1 for digest creation

Bernhard Reiter bernhard at intevation.de
Tue Dec 10 09:58:36 CET 2024 


Am Donnerstag 05 Dezember 2024 13:36:20 schrieb Bruce Walzer:
> On Thu, Dec 05, 2024 at 11:37:44AM +0100, Bernhard Reiter via Gnupg-devel 
wrote:
> > last year in March 2023 you wrote in
> >    https://dev.gnupg.org/T6433
>
> There was no discussion of the potential vulnerabilities in T6433 that
> might be caused by leaving things as they are. When discussing long
> used methods we really need to concentrate on the actual potential
> harm to users. What are those potential harms here?

Not being an expert here, that is why I am asking.
It seems that with MD5 a bunch of attacks and clever ways to exploit the 
weakness came after first collisions where found. Now chosen-prefix attacks 
are feasable and a number of crypto researchers and standard bodies suggest 
to not create SHA1 based signatures anymore.

> My understanding is that since SHA-1 is secure for everything but
> collisions that the user is quite safe even in the face of easy to
> create collisions. What am I missing?

That has been discussed and it has been interesting. It seems some people
believe that there is a possibility to present others with a document
they sign, but you have many others prepared to somehow create a different
one with the same SHA1 hash and thus signatures.
(This may include many documents as with OpenPGP there is at least a timestamp
that varies.)  Other believe this is to hard.

But to get more practical: Does gpg still create SHA1 based signatures
over documents, when being presented with some pubkeys?
Or by default?
If it does not, since when?

Would a warning help users understand better that a SHA1 based signature
maybe created by an attacker in order to exploit weaknesses in the future.
And then users could wonder in high security contexts?

How many signatures would be affected by such a warning?
Is something I'd guess we would need to estimate.

Regards,
Bernhard


-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241210/834f6245/attachment.sig>

More information about the Gnupg-devel mailing list