Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> writes:
The current OpenPGP fingerprint mechanism (in RFC 4880) uses SHA-1,
which is a 160-bit digest. SHA-1's collision resistance is believed to
be weaker than the 2^80 work factor that an ideal 160-bit digest should
have. But that doesn't mean that it is necessarily "broken" for
OpenPGP, if there is no way to exploit a collision atack on fingerprints
in general.
Indeed, while the SHA-1 collision resistance appears to be less than
2^80, there does not seem to be any known attacks that would make a
preimage attack any easier, which means the way OpenPGP uses SHA-1 for
fingerprints is still, technically, secure.
The real issue is one of education. It's probably easier to move to
SHA2 than explain why the OpenPGP use of SHA-1 for fingerprints isn't
broken.
That said, the general cryptographic advice on SHA-1 is "don't use it",
so while sticking with SHA-1 may not be a problem for this specific
case, it is a distraction from the cryptanalysis to have to have this
kind of discussion ("actually, maybe it's ok in this particular use")
whenever it comes up.
Our constraints in the WG here are also bound by UI concerns -- the
fingerprint mechanism is one used by humans, and humans have a limited
capacity to process and handle long high-entropy bitstrings (regardless
of their representation). So we're really trying to navigate a
multidimensional design space here when we talk about what to do for
fingerprints.
I'll try to start a new thread that identifies those choices more
clearly, and ask people to weigh in on simpler questions about
fingerprints rather than having everything tangled up.
--dkg
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp