[Top] [All Lists]

Re: [openpgp] SHA-2 support should be mandatory – change defaults

2014-08-10 23:21:21
On Sunday, August 10, 2014, Aaron Toponce 
<aaron(_dot_)toponce(_at_)gmail(_dot_)com> wrote:

On Sun, Aug 10, 2014 at 07:57:48PM +0200, Christian Stadelmann wrote:
There are several known attacks against SHA-1 reducing its effective
security (without breaking it). Since SHA-2 is widely deployed for about
10 years I think it is time to move on and make SHA-2 default.

Christian is correct (except for the not breaking SHA-1 part). The
collision attacks on SHA-1 are serious and are computationally feasible
(but still too expensive for academic cryptographers). I'd suggest reading
Marc Steven's thesis:

Note that chosen-prefix collision attacks, in particular, can accomplish
almost everything a 2nd preimage attack on a hash can. Again, Stevens
provides useful details.

Also, I'm assuming you don't understand how PGP signatures work.

OpenPGP does not use any signature algorithms which are
'collision-resistant'. So, if the hash algorithm is weak, so are the

For RSA signatures, the situation is even worse; there is no proof
that PKCS1v1_5 signatures have any specific security strength against

ECDSA signatures are the only OpenPGP-specified signature algorithm with a
good security proof. Google's E2E extension is well-written and generates
ECC keys exclusively (but can verify RSA signatures); I recommend it
highly. (But it is in beta right now.)

even though it's not default, you can change your gpg.conf(5) to use a
specific hashing algorithm

In particular, set the following preferences in GnuPG:

digest-algo SHA512
cipher-algo AES256

The man page incorrectly warns against using them, and advises that you use
the 'personal-' variants instead. These effectively do nothing.

If any downstream package maintainers are reading this, email me, and I'll
be delighted to open an issue to include a modern gpg.conf skeleton in
your package. (I'm presently preparing an annotated version with detailed
justifications for various option settings.)

I'm guessing that there may be some historical baggage that prevents making
SHA-2 or SHA-3 the default for OpenPGP in the near term, such as breaking
PGP userspace implementations.

Does *anyone* on this list use an OpenPGP implementation that does not
support SHA-2 and AES? (And, if so, can you estimate how many users are in
a similar position?)


[*] In particular, even though we can estimate the cost of *factoring* an
RSA key, the cost of *forging* a signature may be much lower. This cost may
well be lower than the cost of a collision attack on the hash. See,
e.g., Coron et al.'s work on ISO 9796-2 signatures, if you aren't clear on
the distinction:
openpgp mailing list