sandals at crustytoothpaste
Jul 11, 2012, 6:23 PM
Post #29 of 38
(257 views)
Permalink
|
|
Re: why is SHA1 used? How do I get SHA256 to be used?
[In reply to]
|
|
On Tue, Jul 10, 2012 at 08:15:32PM -0400, Robert J. Hansen wrote:
> There tends to be a lot of scaremongering in the world of crypto. I
> think it's generally wise to be careful in our declarations. It is
> enough to say SHA-1 is known to not meet its design specifications and
> that some fairly devastating attacks against it will likely be coming
> along in the near future. That's already a good enough reason to reduce
> our usage of and dependency upon SHA-1. There's no need to fearmonger
> about how the algorithm has already collapsed, because it hasn't.
I'm not saying it has collapsed. I'm saying that it has weaknesses, and
that the number and magnitude of the weaknesses continue to grow, and
that I think it is imprudent to use SHA-1. I would much rather people
make the move to something better now, because otherwise we'll all be
stuck with SHA-1 long after it's insecure, just like it's been with MD5.
> > Practically, collisions can be generated for 75 of the 80 rounds[0].
>
> Right now, only random collisions can be generated. That's not any use
> in forging a signature, which requires a preimage collision. A
> cryptographic break is not the same as a practical exploit.
It's an indication of weakness. I've seen lots of people that work with
crypto claim that we don't need larger margins of security. The cost of
computation is so small that I'd rather overdo it than regret my
decision later.
> > I don't generate signatures with algorithms I consider insecure
> > because that leads to people being able to forge signatures in my
> > name.
>
> Then you need to stop using OpenPGP altogether, because you're already
> generating SHA-1 signatures with your certificate which can be lifted
> and dropped onto new messages if/when a preimage attack is introduced
> against SHA-1.
Really? I'm pretty sure that I'm not generating SHA-1 signatures. This
is signed using SHA-512, SHA-384, or SHA-256. When I sign another key,
I use SHA-512. At least that's what I've configured GnuPG to do, and
I'd be very surprised if it did not, in fact, do that. If it is using
SHA-1, please report it to the list: it's a bug.
> Let me make this really clear: if you believe SHA-1 is insecure, you
> believe OpenPGP is insecure and you should stop using it. SHA-1 is
> hardwired into the OpenPGP spec in a few different places and, as of
> right now, cannot really be removed. The new V5 key format will almost
> certainly change this, but V5 won't be coming out for a good long while yet.
SHA-1, for my current key, is being used to generate my fingerprint.
It's being used in MDCs when I encrypt a message. And it's being used
instead of the default checksum for my private key. That's it.
Since my private key remains solely in my possession and is not subject
to tampering, what checksum is used is really irrelevant. Since I sign
my messages when I encrypt them, the MDC is essentially redundant, since
it would be apparent that they'd been tampered with. It is extremely
unlikely that an attacker would be able to tamper with the encrypted
message such that they could produce a valid, signed unencrypted
message.
And I'm personally not happy with the use of SHA-1 for the fingerprint,
but it'll have to do for a while. I wish we had chosen RIPEMD-160
instead. I feel it's a better, more conservative design.
> > If I use MD5, even for one message, that allows a moderately
> > determined attacker to replay that signature on what is likely to
> > become a fairly large set of messages. I'd rather avoid that, thank
> > you.
>
> You've *already done this*.
Really? Can you show an example?
> If you truly believe this, stop using OpenPGP.
Is my statement not true for MD5?
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
|
signature.asc
