why is SHA1 used? How do I get SHA256 to be used?

Sam Smith smickson at hotmail.com
Wed Jul 11 14:38:08 CEST 2012


> I'd much rather fail to generate a signature than generate
> one using an algorithm which is very weak.

My feelings as well.



Date: Tue, 10 Jul 2012 23:59:45 +0000
From: sandals at crustytoothpaste.net
To: gnupg-users at gnupg.org
Subject: Re: why is SHA1 used? How do I get SHA256 to be used?

On Tue, Jul 10, 2012 at 10:10:12AM -0400, Robert J. Hansen wrote:
> > SHA1 is no longer secure.
> 
> At the present moment, SHA-1 is just fine.  In the fairly near future,
> anywhere between six months to a few years, I expect this will change.
> But "SHA1 is no longer secure" is factually untrue, at least where
> OpenPGP is concerned.
 
SHA-1 is considered cryptographically broken.  It does not provide the
level of security it claims.  Practically, collisions can be generated
for 75 of the 80 rounds[0].  I hardly consider an algorithm this close
to a collision "just fine".  There's no need to run screaming to the
exits, but a quick and orderly transition has been appropriate for some
time.  The time to move to something else is ending soon.
 
> I don't recommend SHA-1 for new signatures, but if you have a choice
> between sending a SHA-1 message which your recipient can verify
> or a SHA-256 message which your recipient can't, well -- that math's
> pretty easy to do.  SHA-1 isn't a good choice for new signatures, but
> it's a lot better than no signature.
 
I don't generate signatures with algorithms I consider insecure because
that leads to people being able to forge signatures in my name.  If I
use MD5, even for one message, that allows a moderately determined
attacker to replay that signature on what is likely to become a fairly
large set of messages.  I'd rather avoid that, thank you.
 
> > I'm not going to cater to people using really old versions, 
> > especially when security is involved.
> 
> The good news is that no one's asking you to.  You're only being
> advised, "don't use --digest-algo SHA256, it's unwise and can break
> interoperability.  Use --personal-digest-preferences SHA256 instead."
> This is the same advice that has been given by the GnuPG developers, by
> the Enigmail team, and by many other people within the community.  It's
> a best-practices thing for GnuPG.
 
The question is, will GnuPG fall back to SHA-1 if it's not in my digest
preferences?  I'd much rather fail to generate a signature than generate
one using an algorithm which is very weak.
 
[0] http://eprint.iacr.org/2011/641
 
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120711/0c5ccd12/attachment-0001.htm>


More information about the Gnupg-users mailing list