why is SHA1 used? How do I get SHA256 to be used?
Robert J. Hansen
rjh at sixdemonbag.org
Thu Jul 12 05:36:02 CEST 2012
On 7/11/2012 9:23 PM, brian m. carlson wrote:
> Really? I'm pretty sure that I'm not generating SHA-1 signatures.
This is not necessarily relevant.
Here's a thought experiment for you. Someone creates a DSA-1k key and
uses --cert-digest-algo SHA256 and --enable-dsa2. This creates 160-bit
truncated SHA256 hashes.
This person is at risk from a SHA-1 preimage collision, *despite the
fact they've never generated a single SHA-1 signature*.
All the attacker has to do is create a message which SHA-1s out to the
same value as the truncated SHA-256 of a legitimate message. At that
point, the forgery becomes possible.
I don't specifically know how you're using SHA-256. Nor do I especially
want to know. What I do know is that there are a surprising number of
ways a SHA-1 preimage attack can screw over even people who have never
used SHA-256.
Don't put too much faith in "if I switch to SHA-256 I don't need to
worry about the SHA-1 attacks." It's probably not true.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120711/77ed398f/attachment.pgp>
More information about the Gnupg-users
mailing list