why is SHA1 used? How do I get SHA256 to be used?

brian m. carlson sandals at crustytoothpaste.net
Wed Jul 11 01:59:45 CEST 2012 

On Tue, Jul 10, 2012 at 10:10:12AM -0400, Robert J. Hansen wrote:
> > SHA1 is no longer secure.
> 
> At the present moment, SHA-1 is just fine.  In the fairly near future,
> anywhere between six months to a few years, I expect this will change.
> But "SHA1 is no longer secure" is factually untrue, at least where
> OpenPGP is concerned.

SHA-1 is considered cryptographically broken.  It does not provide the
level of security it claims.  Practically, collisions can be generated
for 75 of the 80 rounds[0].  I hardly consider an algorithm this close
to a collision "just fine".  There's no need to run screaming to the
exits, but a quick and orderly transition has been appropriate for some
time.  The time to move to something else is ending soon.

> I don't recommend SHA-1 for new signatures, but if you have a choice
> between sending a SHA-1 message which your recipient can verify
> or a SHA-256 message which your recipient can't, well -- that math's
> pretty easy to do.  SHA-1 isn't a good choice for new signatures, but
> it's a lot better than no signature.

I don't generate signatures with algorithms I consider insecure because
that leads to people being able to forge signatures in my name.  If I
use MD5, even for one message, that allows a moderately determined
attacker to replay that signature on what is likely to become a fairly
large set of messages.  I'd rather avoid that, thank you.

> > I'm not going to cater to people using really old versions, 
> > especially when security is involved.
> 
> The good news is that no one's asking you to.  You're only being
> advised, "don't use --digest-algo SHA256, it's unwise and can break
> interoperability.  Use --personal-digest-preferences SHA256 instead."
> This is the same advice that has been given by the GnuPG developers, by
> the Enigmail team, and by many other people within the community.  It's
> a best-practices thing for GnuPG.

The question is, will GnuPG fall back to SHA-1 if it's not in my digest
preferences?  I'd much rather fail to generate a signature than generate
one using an algorithm which is very weak.

[0] http://eprint.iacr.org/2011/641

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20120710/1c2475f1/attachment.pgp>

More information about the Gnupg-users mailing list