On May 8, 2009, at 3:26 AM, Raimar Sandner wrote:
On Friday 08 May 2009 09:14:27 Raimar Sandner wrote:
On Friday 08 May 2009 02:09:31 David Shaw wrote:
One fear that I've seen talked about for SHA-1 is that an attacker
can
create a duplicate document such that if you signed document or
key A,
they could come up with a document or key B that your signature
would
equally apply to. That fear is more than a little overblown. Even
MD5 hasn't been broken to that extent.
http://eprint.iacr.org/2005/067.pdf
As far as I understand this paper, MD5 has been broken to that
extent. For
SHA1 you're still right of course.
http://eprint.iacr.org/2009/111.pdf
Sorry, this is the reference I meant... even more impressive :)
That's a different sort of attack. In the rogue CA attack, the
attackers generated both A *and* B themselves. They then arranged to
have A signed, and were then able to reveal B as if it had also been
signed (massive oversimplification, of course, as there was a huge
amount of work involved in even making that work, but the point here
is that the attackers generated both A and B themselves). It's a
collision attack. This attack (which again I must stress does not yet
exist for SHA-1) is one of the reasons why it's a good idea to switch
to SHA-256 for new signatures. That's just prudent.
There is no current attack, however, against any hash algorithm in
OpenPGP, that would allow an attacker to pick some arbitrary signature
out there and generate a key or document that hashes to the same
value. This is a preimage attack, either variant of which could be
used against OpenPGP, but neither of them currently exist - not in
MD5, and certainly not in SHA-1. This (lack of) an attack is why I
don't think people need to worry all that much about their existing
signatures that are out there.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
