ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] SHA-2 support should be mandatory – change defaults

2014-08-10 19:40:34
from [Aaron Toponce] [Permanent Link] 
On Sun, Aug 10, 2014 at 07:57:48PM +0200, Christian Stadelmann wrote:

There are several known attacks against SHA-1 reducing its effective
security (without breaking it). Since SHA-2 is widely deployed for about
10 years I think it is time to move on and make SHA-2 default.


First off, I'm not a cryptographer, but this is my understanding of what it
would take to break SHA-1 on a PGP signature.

I'm assuming that the attacks you are referring to are collision attacks,
because there is no practical second preimage attack on SHA-1 [1], or even MD5 
for
that matter [2]. Second preimage attacks differ from collision attacks subtly. 
In a
collision attack, the plaintexts p1 and p2 are not specified, but chosen
randomly. With second preimage attacks, plaintext p1 is known, so plaintext p2
must be found such that hash(p1) == hash(p2) [3].

    1. http://stackoverflow.com/a/2774744
    2. https://en.wikipedia.org/wiki/MD5#Preimage_vulnerability
    3. https://en.wikipedia.org/wiki/Preimage_attack

Also, I'm assuming you don't understand how PGP signatures work. With PGP
signatures, a plaintext message is first cryptographically hashed, then
encrypted with the sender's private key. So to mount a feasible attack on a PGP
signature, you would need to:

    1- Produce the exact cryptagraphic hash from a different public key, or
    2- Find a hash collision with differing text

In the first case, you would be breaking RSA, El Gamal, etc. In the second, you
would be mounting a second preimage attack on the hash function. Both cases are
not practical, or even remotely close to becoming practical in the foreseeable
future.

Finally, even though it's not default, you can change your gpg.conf(5) to use a
specific hashing algorithm that your signing key supports, such as SHA1,
SHA224, SHA256, SHA384, SHA512, RIPEMD160, etc. It's trivial to make the
change, and while I don't know about Enigmal specifically, Mutt will honor the
change.

I'm guessing that there may be some historical baggage that prevents making
SHA-2 or SHA-3 the default for OpenPGP in the near term, such as breaking older
PGP userspace implementations. Also, SHA-1 outperforms SHA-2 [4]. I would
advocate moving to SHA-3 if performance was a factor, as the authors claim 12.5
cycles per byte [5], versus 15.8 with SHA-256 and 17.7 with SHA-512 (even
though SHA-1 still out performs SHA-3) [4].

    4. http://www.cryptopp.com/benchmarks.html
    5. http://keccak.noekeon.org/Keccak-implementation-3.2.pdf

Thanks,

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

Attachment: pgpfkMHixKeX2.pgp
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [openpgp] SHA-2 support should be mandatory – change defaults, Christian Stadelmann
Next by Date:  Re: [openpgp] SHA-2 support should be mandatory – change defaults, David Leon Gil
Previous by Thread:  [openpgp] SHA-2 support should be mandatory – change defaults, Christian Stadelmann
Next by Thread:  Re: [openpgp] SHA-2 support should be mandatory – change defaults, David Leon Gil
Indexes:  [Date] [Thread] [Top] [All Lists]