Use other hash than SHA-1

[David Shaw]

On May 8, 2009, at 3:26 AM, Raimar Sandner wrote:

> On Friday 08 May 2009 09:14:27 Raimar Sandner wrote:
>> On Friday 08 May 2009 02:09:31 David Shaw wrote:
>>> One fear that I've seen talked about for SHA-1 is that an attacker  
>>> can
>>> create a duplicate document such that if you signed document or  
>>> key A,
>>> they could come up with a document or key B that your signature  
>>> would
>>> equally apply to.  That fear is more than a little overblown.  Even
>>> MD5 hasn't been broken to that extent.
>>
>> http://eprint.iacr.org/2005/067.pdf
>>
>> As far as I understand this paper, MD5 has been broken to that  
>> extent. For
>> SHA1 you're still right of course.
>
> http://eprint.iacr.org/2009/111.pdf
>
> Sorry, this is the reference I meant... even more impressive :)

That's a different sort of attack.  In the rogue CA attack, the  
attackers generated both A *and* B themselves.  They then arranged to  
have A signed, and were then able to reveal B as if it had also been  
signed (massive oversimplification, of course, as there was a huge  
amount of work involved in even making that work, but the point here  
is that the attackers generated both A and B themselves).  It's a  
collision attack.  This attack (which again I must stress does not yet  
exist for SHA-1) is one of the reasons why it's a good idea to switch  
to SHA-256 for new signatures.  That's just prudent.

There is no current attack, however, against any hash algorithm in  
OpenPGP, that would allow an attacker to pick some arbitrary signature  
out there and generate a key or document that hashes to the same  
value.  This is a preimage attack, either variant of which could be  
used against OpenPGP, but neither of them currently exist - not in  
MD5, and certainly not in SHA-1.  This (lack of) an attack is why I  
don't think people need to worry all that much about their existing  
signatures that are out there.

David