why is SHA1 used? How do I get SHA256 to be used?
Sam Smith
smickson at hotmail.com
Wed Jul 11 14:38:08 CEST 2012
> I'd much rather fail to generate a signature than generate
> one using an algorithm which is very weak.
My feelings as well.
Date: Tue, 10 Jul 2012 23:59:45 +0000
From: sandals at crustytoothpaste.net
To: gnupg-users at gnupg.org
Subject: Re: why is SHA1 used? How do I get SHA256 to be used?
On Tue, Jul 10, 2012 at 10:10:12AM -0400, Robert J. Hansen wrote:
> > SHA1 is no longer secure.
>
> At the present moment, SHA-1 is just fine. In the fairly near future,
> anywhere between six months to a few years, I expect this will change.
> But "SHA1 is no longer secure" is factually untrue, at least where
> OpenPGP is concerned.
SHA-1 is considered cryptographically broken. It does not provide the
level of security it claims. Practically, collisions can be generated
for 75 of the 80 rounds[0]. I hardly consider an algorithm this close
to a collision "just fine". There's no need to run screaming to the
exits, but a quick and orderly transition has been appropriate for some
time. The time to move to something else is ending soon.
> I don't recommend SHA-1 for new signatures, but if you have a choice
> between sending a SHA-1 message which your recipient can verify
> or a SHA-256 message which your recipient can't, well -- that math's
> pretty easy to do. SHA-1 isn't a good choice for new signatures, but
> it's a lot better than no signature.
I don't generate signatures with algorithms I consider insecure because
that leads to people being able to forge signatures in my name. If I
use MD5, even for one message, that allows a moderately determined
attacker to replay that signature on what is likely to become a fairly
large set of messages. I'd rather avoid that, thank you.
> > I'm not going to cater to people using really old versions,
> > especially when security is involved.
>
> The good news is that no one's asking you to. You're only being
> advised, "don't use --digest-algo SHA256, it's unwise and can break
> interoperability. Use --personal-digest-preferences SHA256 instead."
> This is the same advice that has been given by the GnuPG developers, by
> the Enigmail team, and by many other people within the community. It's
> a best-practices thing for GnuPG.
The question is, will GnuPG fall back to SHA-1 if it's not in my digest
preferences? I'd much rather fail to generate a signature than generate
one using an algorithm which is very weak.
[0] http://eprint.iacr.org/2011/641
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120711/0c5ccd12/attachment-0001.htm>
More information about the Gnupg-users
mailing list