On 07/10/2012 06:15 PM, Robert J. Hansen wrote: > Right now, only random collisions can be generated. That's not any use > in forging a signature, which requires a preimage collision.
If the attacker can convince you to sign a chosen text (perhaps one that
looks reasonable), then a failure in the digest's collision-resistance
could very well be used to replay that signature over a different (but
colliding) text (which may not be something reasonable). This does not
require a preimage collision.
I'm not saying these attacks exist practically today against SHA1 (i
don't know if they do), but collision-resistance is the relevant
property, not resistance to pre-image attacks.
> SHA-1 is
> hardwired into the OpenPGP spec in a few different places and, as of
> right now, cannot really be removed.
The places where it is thoroughly "baked in" are the MDC (not relevant
cryptographically) and the V4 fingerprint (where the relevant property
is resistance to a preimage attack instead of resistance to generated
collisions.
>> If I use MD5, even for one message, that allows a moderately
>> determined attacker to replay that signature on what is likely to
>> become a fairly large set of messages. I'd rather avoid that, thank
>> you.
>
> You've *already done this*.
Where exactly has the original poster signed anything over an MD5 digest?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
