ietf-openpgp
[Top] [All Lists]

Re: Non-SHA-1 fingerprints

2009-05-05 13:06:36

On 05/04/2009 06:04 PM, Daniel A. Nagy wrote:
For fingerprints, MDC and self-signatures, collision-resistance does
not matter, only the one-way property. So I think it is totally safe to
postpone discussion until SHA3 is selected.

To quibble a bit, the real issue is not the specific usage, but whether
the creator of the signature controls the content that is hashed, and
whether he adds enough information and "entropy" of his own that no
outsider could substantially control and/or guess the content.

I can imagine situations from the list above where outsiders might be
able to mount an attack. Even self-signatures may have substantial
data contributed by outsiders, at least with use of some allowed
extensions. We have notation subpackets and possibly other subpackets
which could include data that is supplied by outsiders.

PGP has for many years supported an extension to the User ID called a
Photo ID, which includes a picture of the key holder. Imagine if you added
to your key a photo of yourself, but one that was taken by someone else,
and signed it with a self signature using a weak hash. Some time later
you might discover a different-looking photo circulating, signed with
that same signature (because the photo was gimmicked to allow a change
in some data to display a different image).  One could imagine security
implications of this kind of substitution.

MDC packets should be immune because we hash the prefix which should
normally include 128+ bits of randomness. Likewise with fingerprints,
presumably the key itself includes sufficient randomness to make it
unguessable, otherwise many other attacks are possible.

Hal Finney
PGP Corporation

<Prev in Thread] Current Thread [Next in Thread>