On 06/27/2012 09:11 AM, Robert J. Hansen wrote: > On 6/26/2012 3:22 AM, Werner Koch wrote: >> This is very different in OpenPGP. SHA-1 is not used everywhere; its >> main use is for the fingerprint, this will eventually be a problem. > > I am not so sanguine. Marc Stevens claims [1] he has a working > collision requiring 2**57 compressions: that number is low enough to > make my hair stand on end. He also says he knows how to make it faster, > and he's been curiously silent on the subject for the last year and a > half. I think "eventually" is going to come sooner than we think.
For the key's fingerprint specifically, a pre-image (where the attacker
crafts a new text that shares a digest with the victim's key material)
is the thing to worry about, not a crafted collision (where the attacker
generates two texts that share a digest).
My read of [1] is that the attack is a collision technique, not a
pre-image technique, which would imply that "eventually" is still
actually a little ways off for fingerprints at least.
> Werner wrote:
>> Everywhere else we are already using SHA-2.
Not by default. In testing today with an empty profile, gpg 1.4.12
still defaults to making key certifications (where the attacker controls
the digested material completely) and data signature with SHA1. These
are areas where a successful collision attack can do serious harm.
i'd be happy to see gpg migrate to defaults of SHA-256 for data
signatures and key certifications; these digests have been available to
users (of both GPG and PGP) for many years now. I've been using SHA-512
for my data signatures and key certifications for a few years and have
never gotten a complaint.
--dkg
[1] http://code.google.com/p/hashclash/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
