Ansgar 🙀 <ans...@43-1.org> writes: > On Fri, 2024-07-26 at 14:08 +0900, Justus Winter wrote: >> In the OpenPGP ecosystem, we have seen that people think that if GnuPG >> accepts an artifact, then it must be okay to emit such an artifact. As >> you can see [0], GnuPG still accepts SHA1-based signatures. And, we >> have seen big players [1][2] use SHA-1 in their signing keys. >> >> 0: https://tests.sequoia-pgp.org/#Signature_over_the_shattered_collision >> 1: https://github.com/microsoft/linux-package-repositories/issues/47 >> 2: https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c19 >> >> We considerably improved the situation by rejecting these signatures, >> even though that caused a considerable amount of pain in the short term. > > Recently on debian-vote@ it was pointed out repeatedly that SHA-1 is > still a perfectly secure hash algorithm for many applications
SHA-1 is not a perfectly secure hash algorithm. It has been disallowed for use in digital signatures by NIST in 2013, 11 years ago. There are practical attacks against its collision resistance. An attack has been demonstrated against OpenPGP's authentication mechanism. https://sha-mbles.github.io/ There is a modified SHA-1 algorithm that protects against all currently known collision attacks, but it incurs a 20% overhead over software-only implementations, making it considerably more expensive than SHA2. Just stop using SHA-1, and stop advocating for its use. > (probably just as MD5). There is a short, low-entropy, alphanumeric collision constructed against MD5 where the blocks differ by a single byte. It is hard to overstate how broken MD5 is. https://x.com/realhashbreaker/status/1770161965006008570 Stop saying MD5 is fine. Best, Justus
signature.asc
Description: PGP signature
