On Wednesday 21 September 2005 23:00, Daniel A. Nagy wrote:
As before, I would like to express my concerns about allowing a choice of
hash algorithms. Here's some detail:
A complete break (feasible reversal) of ANY ONE of the supported hash
algorithms would allow generating keys with arbitrary long key IDs,
possibly colliding with an attacked key. This was a major problem with v3
and v4 was a giant step in the right direction. This would be a small
step backwards.
I don't see how this attack would work.
Let's say MDX is broken by some genius.
First the trivial case:
Alices Key A uses MDX as its fingerprint algorithm. The fingerprint looks
like: 99:AB 12 34 56 78 90 CD EF...
Mallory can now generate an arbitrary key M, that has the same algorithm and
fingerprint.
Now the less trivial:
Bobs key B uses MDY (which was not broken). Fingerprint: A0:12 34 56 78...
Mallory could attempt to create a key M2 which has the same hash value using
MDY as Bobs key using MDX, but the fingerprint would still be different:
99:12 34 56 78...
I don't see any way for Mallory to compromise Bobs key without changing the
first byte of the fingerprint. So allowing different algorithms AND
including their ID in the fingerprint would in my opinion be a good measure
to limit the damage (only Alices key becomes ambiguous, not Bobs) in case
of a broken algorithm.
Konrad
pgprd5TVtXVKK.pgp
Description: PGP signature