I don't know exactly what OpenPGP does, so maybe it's fine.
It encrypts the SHA-1 hash in CFB mode. Unfortunately the only analysis I'm >
aware of (I've just asked on the OpenPGP list) is by Hungarian cryptographer >
Daniel
Nagy:
I have just discussed this issue with my students at our cryptography
seminar. The general consensus is that MDCs do not need collision
resistance. Thus, SHA1 is secure with a huge security margin. The recent
weakening of SHA1 means that finding a pre-image takes approx 2^138
attempts, which is still comfortably beyond reach for today's and tomorrow's
technology. Introducing longer hashes would make it slower, while not
improving security. If you insist, I can provide the complete reasoning why
collision-resistance is not required for MDC.
Peter,
I don't know what the above rationale is. However, there is
a real-world consideration that is often overlooked in purely
mathematical analyses of hash function shortcomings. In order
for an attacker to successfully exploit a hash collision it is
necessary not only to find a collision, but to find one that
yields a meaningful message. Especially in applications such
as S/MIME where the payload is often a formatted text message,
just finding ANY arbitrary collision wouldn't work. It would
be likely to corrupt the message format, or otherwise cause
the receiving client to display gibberish. I suspect that this
is true for a lot of applications. So above and beyond the
probability of finding a collision, you have to factor in the
probability of finding a meaningful message (and presumably
harmful) message that collides. I suspect that number is MUCH
smaller.
I wouldn't even BEGIN to know how to quantify all the factors
in this for a probability calculation. Perhaps that is why it
is so seldom mentioned. ;-)
Best regards,
Chris B.