At 7:26 AM -0700 5/19/1999, Werner Koch said:
political/patents maybe an argument. Actually we don't need a
cryptograhic hash function here but only a good checksum - so SHA1
is good enough and it is the only hash algorithm which is required
anyway.
However, if it turns out that we have to change something, we have the
version number and can implement another scheme with another version
number which must then be made tamperproof, e.g. by putting a copy
into the encrypted data.
I believe that it's true that we don't need all the properties of a
cryptographic hash. The reason for picking SHA-1 is that an implementation
already has to have SHA-1, so it's a favor to anyone who wants to do a
minimal implementation.
I did a design for this late last year that had a hash selector. The
objection to a selector on the hash algorithm is simply that an attacker
could potentially modify the hash selector and cause mischief. I'm
skeptical as to what sort of mischief they could really cause, but I see
the point.
For this purpose, SHA-1 is good enough. Actually, for this purpose, MD4
(which is known to be broken as a signature hash) is good enough. Remember,
we have in this packet (presumably) unknown plaintext (if the attacker
knows the plaintext of the message, I think there are other problems)
sealed with a strong cipher. We don't need all the properties of a
cryptographic hash. I'm in favor of picking SHA-1, just because it's handy.
Jon