New results against SHA-1
David Shaw
dshaw at jabberwocky.com
Mon May 4 14:51:56 CEST 2009
On May 4, 2009, at 6:16 AM, Nicholas Cole wrote:
> On Mon, May 4, 2009 at 9:24 AM, Werner Koch <wk at gnupg.org> wrote:
>> On Fri, 1 May 2009 05:58, atom at smasher.org said:
>>
>>> so... when is the open-pgp spec moving beyond SHA1 hashes to
>>> identify
>>> public keys? what's next? will it have to be a bigger hash?
>>
>> OpenPGP does not claim that the fingerprint is a unique way to
>> identify
>> a key.
>
> How does GPG cope if two keys on the keyring have the same FP? AFAICS
> that would make things very difficult for most of the front-ends,
> especially if they had been relying on the uniqueness (in practice) of
> the FP to specify which key to operate on.
In theory, OpenPGP implementations should cope just fine with multiple
keys having the same fingerprint. What to do depends on the context,
but you could for example try all of the same-FP keys to verify a
signature, etc.
In practice, however, I suspect that most, if not all, OpenPGP
programs would exhibit strange behavior of one sort or another. This
sort of thing is hard to test for since it essentially implies
creating a SHA-1 collision (which even with the recent discoveries is
not a trivial thing). It's possible to fake a collision in the code,
but again, they're so absurdly rare there are other bugs that would
hit first.
In the computer urban legend department, I actually heard a story once
about someone who claimed to have (completely accidentally) generated
a key with a colliding fingerprint. Unfortunately he deleted it
because he thought it was a bad key when his client didn't behave well
with it.... You may draw from that what you will!
David
More information about the Gnupg-users
mailing list