On Sunday, August 10, 2014, Aaron Toponce
<aaron(_dot_)toponce(_at_)gmail(_dot_)com> wrote:
On Sun, Aug 10, 2014 at 07:57:48PM +0200, Christian Stadelmann wrote:
There are several known attacks against SHA-1 reducing its effective
security (without breaking it). Since SHA-2 is widely deployed for about
10 years I think it is time to move on and make SHA-2 default.
Christian is correct (except for the not breaking SHA-1 part). The
collision attacks on SHA-1 are serious and are computationally feasible
(but still too expensive for academic cryptographers). I'd suggest reading
Marc Steven's thesis:
https://marc-stevens.nl/research/papers/PhD%20Thesis%20Marc%20Stevens%20-%20Attacks%20on%20Hash%20Functions%20and%20Applications.pdf
Note that chosen-prefix collision attacks, in particular, can accomplish
almost everything a 2nd preimage attack on a hash can. Again, Stevens
provides useful details.
Also, I'm assuming you don't understand how PGP signatures work.
OpenPGP does not use any signature algorithms which are
'collision-resistant'. So, if the hash algorithm is weak, so are the
signatures.
For RSA signatures, the situation is even worse; there is no proof
that PKCS1v1_5 signatures have any specific security strength against
forgery.[*]
ECDSA signatures are the only OpenPGP-specified signature algorithm with a
good security proof. Google's E2E extension is well-written and generates
ECC keys exclusively (but can verify RSA signatures); I recommend it
highly. (But it is in beta right now.)
even though it's not default, you can change your gpg.conf(5) to use a
specific hashing algorithm
In particular, set the following preferences in GnuPG:
digest-algo SHA512
cipher-algo AES256
The man page incorrectly warns against using them, and advises that you use
the 'personal-' variants instead. These effectively do nothing.
If any downstream package maintainers are reading this, email me, and I'll
be delighted to open an issue to include a modern gpg.conf skeleton in
your package. (I'm presently preparing an annotated version with detailed
justifications for various option settings.)
I'm guessing that there may be some historical baggage that prevents making
SHA-2 or SHA-3 the default for OpenPGP in the near term, such as breaking
older
PGP userspace implementations.
Does *anyone* on this list use an OpenPGP implementation that does not
support SHA-2 and AES? (And, if so, can you estimate how many users are in
a similar position?)
-dlg
[*] In particular, even though we can estimate the cost of *factoring* an
RSA key, the cost of *forging* a signature may be much lower. This cost may
well be lower than the cost of a collision attack on the hash. See,
e.g., Coron et al.'s work on ISO 9796-2 signatures, if you aren't clear on
the distinction: https://eprint.iacr.org/2009/203.pdf
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp