why is SHA1 used? How do I get SHA256 to be used?
vedaal
vedaal.nistar at gmail.com
Thu Jul 12 05:13:00 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 7/11/2012 9:23 PM, brian m. carlson wrote:
>>> If I use MD5, even for one message, that allows a moderately
>>> determined attacker to replay that signature on what is likely to
>>> become a fairly large set of messages. I'd rather avoid that, thank
>>> you.
>>
>> You've *already done this*.
>
> Really? Can you show an example?
If you *ever* signed a message with SHA1 and posted it publicly,
(maybe in the 'olden days' before any vulnerability in SHA1 was known)
then that signature could become a source for a forgery,
whenever SHA1 becomes broken enough.
(A clever, malicious attacker could backdate the clock,
and have a forgery of something you did in the past,
when you couldn't claim:
"Hey, that's an obvious forgery!
I'm on record as saying I would never use SHA1 to sign anything anymore!")
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJP/kC7AAoJEFBvT6HTX7GGXV0P/jE4sQEIohwQ4s89wLRzLkji
//WimhWcxBvuzSW/uTNaMwG1QwkDA/nbYwa3VUMv3BXNFA9bRaiLSG0QKo/4INo3
PPUqlC3zIS7H7up5BxU2kKw7F45IIjkYuny7A5cZr/0wldyThe6OJrGhO7AjnIv9
YfHc5ztaG115ch7fF5S2SqX2ygsoAGromsfo/0OyAtQssmFIzuEsTpDNQgFjieh7
rVPIIqedITwpcV+BHH5QSETVjC0ZzERMokC/RaJ+Ta14IwHfpSv5cAkFoqTMouiA
oJxrGWROepnlD371gNZ/2dD1N76LBqGrxIMrc2ZbDI9UvM3GrAqv2aqNn0LOdfMz
t/JhGj1DGUeRyCgR2R4+TNY9L5yh+rq0/1oMGmzDg7D1x3uhJFWChDSY2cPc+r+x
xqjrsgEcQejcSOD0YaDSOTII/cMY6Xm8pB60GaVtw5uTAErO4aPlat977JhO97IF
CWHp9VwdbKl8BepiKhq8N4yyIA/1pDVtYQt2Ua3QSUJ4uNUiUGyhrypkLdViC/ws
9jj7Hb1J4f7bjko+gGi36r0OGHd6zBE+a1auV6tli3fBvss1BJ8lSNqUVPO/leqB
CNjNQNMF1GJnOqU4UvTT84KHnQBCHGWneS61a94YiOTyYQqs0BAYc2y/z6JaQY/u
JmW/+vlA5PAoKr0aRSKe
=8Ycl
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list