ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Deprecating SHA1

2020-10-24 11:54:17
from [brian m. carlson] [Permanent Link] 
On 2020-10-23 at 12:51:08, Neal H. Walfield wrote:

So, two questions:

  - Does anyone see a safe way to accept SHA1 self-signatures today?
    Or (ouch!), if we want to be safe, do we have to convince ~10% of
    the sophisticated OpenPGP users to re-sign or regenerate their
    keys?


I think the time for transition with SHA-1 is gone.  The algorithm is
estimated to be attackable for $45,000.  A thrifty and reasonably
well-paid software engineer could put that away in a year or less.  It's
within the budget of almost any medium or large business.

We should soundly bludgeon SHA-1 over the head and let it die.  I'd
propose stating that implementations MUST NOT accept signatures made
with MD5 or SHA-1 in RFC 4880 bis.  Both have been known to be weak for
a long time.  It will be painful, but we're not helping anyone by
continuing to accept weak algorithms.

I should point out that GnuPG has shipped with SHA-256 since
approximately 2002 and SHA-384 and SHA-512 since at least 2007.  That
means everyone using any major operating system that still has security
support should be able to verify newer signatures.

If we're provident, we'll specify some version of SHA-3 to be a SHOULD.
Cryptanalysis is advancing on SHA-2.


  - What do people think about including a salt in the hash to make
    the content of the hash less predictable as described in [7]?


I know not everyone will agree, but I prefer deterministic signatures.
There are use cases for OpenPGP with systems with little or no entropy
using Ed25519 or deterministic ECDSA for signing.  Smart cards come to
mind, for example.

Additionally, I don't think a salt is proof that a signature doesn't
have a collision.  If the salt is generated by the attacker, then it can
easily be part of the collision.  That could easily be the case if the
signature came from a smart card or embedded device, where the salt
might not be generated on the card.  We therefore cannot rely on it as
evidence that a signature using a weak algorithm is secure.
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Deprecating SHA1, Neal H. Walfield
Next by Date:  Re: [openpgp] Deprecating SHA1, Jon Callas
Previous by Thread:  Re: [openpgp] Deprecating SHA1, Guillem Jover
Next by Thread:  Re: [openpgp] Deprecating SHA1, Jon Callas
Indexes:  [Date] [Thread] [Top] [All Lists]