ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Rejecting expiration signatures that involve SHA1

2022-04-25 07:40:06
from [Justus Winter] [Permanent Link] 
Daniel Huigens 
<d.huigens=40protonmail(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org> writes:


I'm primarily posting this FYI, because there probably isn't a good
solution to the situation we're experiencing. We probably shouldn't undo
the change to allow a longer migration period?


I agree; I support rejecting SHA1 signatures. For now, in OpenPGP.js we
only do so for message signatures by default, not binding signatures
yet, but we could start rejecting SHA1 binding signatures as well.


I think it is more complicated than that.  First, there are two
hash algorithm properties to consider: collision resistance and preimage
resistance.  If the attacker controls data being signed, collision
resistance is required.  But, that is not the case for binding
signatures.

Second, rejecting a signature carries a risk too: if you reject a
revocation signature, then you will continue to use a key that the
holder asked you not to use.

Our SHA1 strategy is:

- Use SHA1CD instead of SHA1.
- Distinguish between the need for collision resistance and preimage
  resistance.
- Have a clear deprecation timeline (reject where collision resistance
  is required from 2013, completely reject in 2023).  This deprecation
  is in the code, so deployed code will reject SHA1 without the need for
  a software update.
- Have tooling to help people detect and correct this issue:
  https://gitlab.com/sequoia-pgp/keyring-linter or apt install sq-keyring-linter

Further reading:

- 
https://docs.sequoia-pgp.org/sequoia_openpgp/policy/struct.StandardPolicy.html#method.reject_hash_property_at
- https://docs.sequoia-pgp.org/sequoia_openpgp/policy/enum.HashAlgoSecurity.html
- https://gitlab.com/sequoia-pgp/sequoia/-/issues/595

Relevant tests:

- https://tests.sequoia-pgp.org/#Signature_over_the_shattered_collision
- https://tests.sequoia-pgp.org/#Primary_key_binding_signatures
  (the SHA1 backsig vector)

Justus

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Rejecting expiration signatures that involve SHA1, Daniel Huigens
Next by Date:  Re: [openpgp] Discussion regarding signalling of preferences for multiple encryption-capable keys, Daniel Huigens
Previous by Thread:  Re: [openpgp] Rejecting expiration signatures that involve SHA1, Daniel Huigens
Next by Thread:  Re: [openpgp] Rejecting expiration signatures that involve SHA1, Daniel Kahn Gillmor
Indexes:  [Date] [Thread] [Top] [All Lists]