why is SHA1 used? How do I get SHA256 to be used?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jul 12 06:10:11 CEST 2012


On 07/10/2012 06:15 PM, Robert J. Hansen wrote:
> Right now, only random collisions can be generated.  That's not any use
> in forging a signature, which requires a preimage collision.

If the attacker can convince you to sign a chosen text (perhaps one that
looks reasonable), then a failure in the digest's collision-resistance
could very well be used to replay that signature over a different (but
colliding) text (which may not be something reasonable).  This does not
require a preimage collision.

I'm not saying these attacks exist practically today against SHA1 (i
don't know if they do), but collision-resistance is the relevant
property, not resistance to pre-image attacks.

> SHA-1 is
> hardwired into the OpenPGP spec in a few different places and, as of
> right now, cannot really be removed.

The places where it is thoroughly "baked in" are the MDC (not relevant
cryptographically) and the V4 fingerprint (where the relevant property
is resistance to a preimage attack instead of resistance to generated
collisions.

>> If I use MD5, even for one message, that allows a moderately 
>> determined attacker to replay that signature on what is likely to 
>> become a fairly large set of messages.  I'd rather avoid that, thank
>>  you.
> 
> You've *already done this*.

Where exactly has the original poster signed anything over an MD5 digest?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120711/e4abe1df/attachment.pgp>


More information about the Gnupg-users mailing list