On 7/10/2012 7:59 PM, brian m. carlson wrote: > SHA-1 is considered cryptographically broken. It does not provide > the level of security it claims.
Yes. This is not the same as being *insecure*, though, which is what was claimed. Moving from "cryptographically broken" to "insecure/dead" is about as large a step as going from "nothing" to "cryptographically broken." MD5 was cryptographically broken in 1996. We didn't see major practical results against it until 2005 or so, and NIST didn't declare it to be dead and should no longer be used until 2010. There's some serious lag time there. SHA-1 will likely not have as long of a lag time, but let's not go about pretending there is no lag time or that the lag time has already elapsed. There tends to be a lot of scaremongering in the world of crypto. I think it's generally wise to be careful in our declarations. It is enough to say SHA-1 is known to not meet its design specifications and that some fairly devastating attacks against it will likely be coming along in the near future. That's already a good enough reason to reduce our usage of and dependency upon SHA-1. There's no need to fearmonger about how the algorithm has already collapsed, because it hasn't. > Practically, collisions can be generated for 75 of the 80 rounds[0]. Right now, only random collisions can be generated. That's not any use in forging a signature, which requires a preimage collision. A cryptographic break is not the same as a practical exploit. > I don't generate signatures with algorithms I consider insecure > because that leads to people being able to forge signatures in my > name. Then you need to stop using OpenPGP altogether, because you're already generating SHA-1 signatures with your certificate which can be lifted and dropped onto new messages if/when a preimage attack is introduced against SHA-1. Let me make this really clear: if you believe SHA-1 is insecure, you believe OpenPGP is insecure and you should stop using it. SHA-1 is hardwired into the OpenPGP spec in a few different places and, as of right now, cannot really be removed. The new V5 key format will almost certainly change this, but V5 won't be coming out for a good long while yet. > If I use MD5, even for one message, that allows a moderately > determined attacker to replay that signature on what is likely to > become a fairly large set of messages. I'd rather avoid that, thank > you. You've *already done this*. If you truly believe this, stop using OpenPGP. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
