Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

migration paths from SHA-1 [was: Re: idea.dll]

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


dkg at fifthhorseman

Jun 27, 2012, 7:24 AM

Post #1 of 2 (131 views)
Permalink
migration paths from SHA-1 [was: Re: idea.dll]
On 06/27/2012 09:11 AM, Robert J. Hansen wrote:
> On 6/26/2012 3:22 AM, Werner Koch wrote:
>> This is very different in OpenPGP. SHA-1 is not used everywhere; its
>> main use is for the fingerprint, this will eventually be a problem.
>
> I am not so sanguine. Marc Stevens claims [1] he has a working
> collision requiring 2**57 compressions: that number is low enough to
> make my hair stand on end. He also says he knows how to make it faster,
> and he's been curiously silent on the subject for the last year and a
> half. I think "eventually" is going to come sooner than we think.

For the key's fingerprint specifically, a pre-image (where the attacker
crafts a new text that shares a digest with the victim's key material)
is the thing to worry about, not a crafted collision (where the attacker
generates two texts that share a digest).

My read of [1] is that the attack is a collision technique, not a
pre-image technique, which would imply that "eventually" is still
actually a little ways off for fingerprints at least.

> Werner wrote:
>> Everywhere else we are already using SHA-2.

Not by default. In testing today with an empty profile, gpg 1.4.12
still defaults to making key certifications (where the attacker controls
the digested material completely) and data signature with SHA1. These
are areas where a successful collision attack can do serious harm.

i'd be happy to see gpg migrate to defaults of SHA-256 for data
signatures and key certifications; these digests have been available to
users (of both GPG and PGP) for many years now. I've been using SHA-512
for my data signatures and key certifications for a few years and have
never gotten a complaint.

--dkg

[1] http://code.google.com/p/hashclash/
Attachments: signature.asc (1.01 KB)


rjh at sixdemonbag

Jun 27, 2012, 7:32 AM

Post #2 of 2 (130 views)
Permalink
Re: migration paths from SHA-1 [was: Re: idea.dll] [In reply to]
On 6/27/2012 10:24 AM, Daniel Kahn Gillmor wrote:
> For the key's fingerprint specifically, a pre-image (where the attacker
> crafts a new text that shares a digest with the victim's key material)
> is the thing to worry about, not a crafted collision (where the attacker
> generates two texts that share a digest).

Yes. And this is exactly what I heard in 2005 from people who were
dismissing the MD5 collision attacks as, "well, you know, they're not
preimages." It didn't take long to go from that to full-on attacks on
MD5. I expect the same will occur here.

> My read of [1] is that the attack is a collision technique, not a
> pre-image technique, which would imply that "eventually" is still
> actually a little ways off for fingerprints at least.

If by "a little ways off" you mean anywhere between six months to a few
years, then yes, that's reasonable.

I don't expect SHA-1 to fall over dead this afternoon, but the
chaplain's been summoned to its room to deliver the Last Rites.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.