On Thu, Feb 17, 2005 at 12:58:24PM +0000, Ian G wrote:
Werner Koch wrote:
On Thu, 17 Feb 2005 09:36:08 +0000 (UTC), Lutz Donnerhacke said:
Don't panic. This problem is already solved by allowing different
hash-algorithms in the packet format. As long as no detailed examination
The fingerprint and the MDC both use SHA-1 hardwired.
It would seem an easy matter to add some options
on fingerprint. That's something that could be
added to the standard as a MAY and people can
switch across if the weaknesses in SHA1 move
across to economically exploitable status.
I don't think it's all that easy to just add options to the
fingerprint. Let's say you specified a fingerprint (which is
currently just HASH) with ALGO:HASH. So, my current (SHA-1)
fingerprint would be:
Simple enough, but my fingerprint would also be (MD5):
and even (SHA-512):
Allowing multiple representations of the fingerprint allows for all
sorts of problems where an attacker can force a particular hash
algorithm. There is even a warning about this attack (in the context
of signatures) in the draft.
If SHA-1 is showing its age, well, that's to be expected. It's had a
good run, but even before this new attack came to light, it was
already being phased out by NIST.
Rather than trying to jury-rig something together to allow using other
hashes, I think I would rather just declare a V5 key format (which can
be essentially the same as V4), which uses a different hash. Users
can continue using V4 keys as long as they desire, and developers will
have time to add support for V5 so it's ready when it is needed. This
ties in neatly with other things recently discussed here : for
example, a V5 key could be said to have AES as the default algorithm.
Note that keyservers and other programs that use OpenPGP will need to
understand whatever we do. Not messing about with the well-understood
and widely implemented definition of V4 keys will make this easier.