On Wednesday 21 September 2005 23:00, Daniel A. Nagy wrote:
As before, I would like to express my concerns about allowing a choice of
hash algorithms. Here's some detail:
A complete break (feasible reversal) of ANY ONE of the supported hash
algorithms would allow generating keys with arbitrary long key IDs,
possibly colliding with an attacked key. This was a major problem with v3
and v4 was a giant step in the right direction. This would be a small
I don't see how this attack would work.
Let's say MDX is broken by some genius.
First the trivial case:
Alices Key A uses MDX as its fingerprint algorithm. The fingerprint looks
like: 99:AB 12 34 56 78 90 CD EF...
Mallory can now generate an arbitrary key M, that has the same algorithm and
Now the less trivial:
Bobs key B uses MDY (which was not broken). Fingerprint: A0:12 34 56 78...
Mallory could attempt to create a key M2 which has the same hash value using
MDY as Bobs key using MDX, but the fingerprint would still be different:
99:12 34 56 78...
I don't see any way for Mallory to compromise Bobs key without changing the
first byte of the fingerprint. So allowing different algorithms AND
including their ID in the fingerprint would in my opinion be a good measure
to limit the damage (only Alices key becomes ambiguous, not Bobs) in case
of a broken algorithm.
Description: PGP signature