Forgot your password?
typodupeerror
Debian Security

Preparing To Migrate Off of SHA-1 In OpenPGP 152

Posted by kdawson
from the orderly-fashion dept.
jamie found a note on debian-administration.org, the first in a promised series on migrating off of SHA-1 in OpenPGP. "Last week at eurocrypt, a small group of researchers announced a fairly serious attack against the SHA-1 digest algorithm, which is used in many cryptosystems, including OpenPGP. The general consensus is that we should be 'moving in an orderly fashion toward the theater exits,' deprecating SHA-1 where possible with an eye toward abandoning it soon (one point of reference: US govt. federal agencies have been directed to cease all reliance on SHA-1 by the end of 2010, and this directive was issued before the latest results). ... So what can you do to help facilitate the move away from SHA-1? I'll outline three steps that current gpg users can do today, and then I'll walk through how to do each one..."
This discussion has been archived. No new comments can be posted.

Preparing To Migrate Off of SHA-1 In OpenPGP

Comments Filter:
  • by marcosdumay (620877) <marcosdumay@@@gmail...com> on Friday May 08, 2009 @11:28AM (#27876957) Homepage Journal
    From TFA, so others don't have to read it, GPG will stay with SHA 224, SHA 256, SHA 384 and SHA 512.
  • by swillden (191260) <shawn-ds@willden.org> on Friday May 08, 2009 @11:34AM (#27877035) Homepage Journal

    Is there any hash function that actually is secure?

    There are some for which no known attacks exist. SHA-256 and SHA-512, Whirlpool and Tiger are all pretty thoroughly-reviewed with no weaknesses uncovered. The NIST hash function competition is causing a great deal of new hash function research and we'll almost certainly get a bunch of great new hash functions out of it -- many of them not only secure, but significantly faster than SHA-1.

    If you're thinking that "no known attacks" isn't good enough, keep in mind that's as good as it every gets in cryptography, with the sole exception of the One Time Pad

  • by Amouth (879122) on Friday May 08, 2009 @11:36AM (#27877067)

    by definishion a hash function can't be safe you are taking something that is of unknown size and giving a specific lenght result which will always be the same for a given input.

    due to the limited length of the result using inputs larger than the result you can assure at some point there will be a collision (2 diffrent inputs with the same output)

    MD5 failed after enough people looked at it and someone figured out how to salt it to get collisions quite quickly.

    as proccessing power increases brute force is getting easier - but when you find a way of cutting down the brute force required.. that is when something can become very weak very quickly.

  • by Anonymous Coward on Friday May 08, 2009 @11:46AM (#27877185)

    That is not what secure means with regard to hash functions. Secure means that it is not feasible to construct a document which has the same hash value as a given document (pre-image attack) or to construct two documents which have the same hash value (collision attack). The complexity of these attacks is ideally such that simply enumerating documents is the fastest way (brute force). Reducing the number of documents which you have to try to find a match makes a successful attack more likely. The complexity which is deemed as breaking the hash function depends on the adversaries and time frames relevant to a particular application.

  • by John Goerzen (2781) on Friday May 08, 2009 @11:51AM (#27877217) Homepage

    SHA-1 doesn't encrypt things. It makes a hash of them, to verify they haven't been modified.

    There are no secrets encrypted with SHA-1 because SHA-1 doesn't encrypt things.

  • by Anonymous Coward on Friday May 08, 2009 @11:55AM (#27877275)

    Hash functions are not used in encryption and decryption. Their cryptographic use is in authentication, for example in key exchange protocols and cryptographic signatures.

  • by russotto (537200) on Friday May 08, 2009 @12:11PM (#27877503) Journal

    Really stupid question (not a cryptographer), but is there anything wrong with using multiple hash algorithms (hopefully none derived from one another)? Surely breaking two or more hashes simultaneously would be far harder?

    E.g., MD5 is broken. But what if we use both MD5 and SHA-1?

    Unfortunately not; once you've broken the strongest hash, the rest can be broken in polynomial time.

    http://article.gmane.org/gmane.comp.encryption.general/5154 [gmane.org]

  • by Kjella (173770) on Friday May 08, 2009 @12:18PM (#27877585) Homepage

    If you're thinking that "no known attacks" isn't good enough, keep in mind that's as good as it every gets in cryptography

    I think my math teacher would call that a "necessary but not sufficient" condition, I mean anything can be without known attacks by virtue of never having been reviewed. Minimums should include:

    1. Published algorithm, no "secret sauce" security by obscurity
    2. Solid peer reviews by other cryptographers, definately not just the vendor or their hirelings
    3. Strong links to well-researched hard mathematical problems

    Of course, nothing can guarantee that the NSA hasn't found some super-secret math thingie that'll cut through it like a knife through hot butter. But cryptography is also about eating your own dog food, if you don't use it for anything valuable who'd trust it? You can't really keep that a secret because you have to tell lots of people that this isn't really secure or they'd use it as if it were. And if you do use it for your valuables, would you really leave that kind of backdoor for someone else to find? Again it doesn't prove anything, but I think most modern crypto algorithms have no weaknesses known to anybody, and if one showed up it'd be just as big a OMG for those who made/approved it as everyone else.

  • by SparkleMotion88 (1013083) on Friday May 08, 2009 @12:28PM (#27877739)

    Surely breaking two or more hashes simultaneously would be far harder

    You can't be "sure" about much in cryptography. If m is a message, and f and g are hash functions, you are assuming that you get more security from f(g(m)) than from f(m). You have to define what kind of security you are hoping for. With hash algorithms, you usually want: given m', it is difficult to find some m where h(m) = m'.

    So to answer your question, using f(g(m)) would only be more secure than f(m) if f contains some vulnerability and no cryptanalytic vulnerability is introduced by combining f and g. If I don't have any information about either type of vulnerability, I would have no reason to assume that f(g(m)) is more secure than f(m). In this situation, I would stick with f(m) because it has been studied more and people have probably spent time trying to break it.

    To put it another way, breaking f(g(m)) does not necessarily require breaking both f and g. The resulting algorithm that you get by composing f with g is still only one algorithm (just like SHA-1), and that is the only algorithm that needs to be broken.

  • by blueg3 (192743) on Friday May 08, 2009 @12:35PM (#27877869)

    This has nothing to do with multiple hash algorithms. What you're referring to is that finding an n-way collision from a 2-way collision is polynomial time. That is, a 2-way collision is two documents with the same hash, and an n-way collision is n documents with the same hash.

    Finding a pair of documents that have the same SHA1 hash doesn't help you find a pair of documents with the same MD5 hash. Indeed, none of the efficient-collision algorithms allow you to find collisions in both SHA1 and MD5 simultaneously. (Note that, as far as I know, there aren't even any efficient preimage attacks on MD5 or SHA1, only collision attacks.)

    Using multiple hash algorithms is helpful, yes.

  • by Cruicky (1122359) on Friday May 08, 2009 @02:01PM (#27879175)

    The OpenSSL package in Ubuntu supports SHA224, SHA256, SHA384, and SHA512, even though it's not actually shown in the help, with the command line options being -sha224, -sha256, -sha384 and -sha512.

    I've been happily using SHA512 with a personal CA for the last year.

    It's possible that other distributions have also compiled in support for these hash functions in their OpenSSL packages.

  • Re:2^52 (Score:3, Informative)

    by iluvcapra (782887) on Friday May 08, 2009 @02:13PM (#27879361)

    Avoid bignums whenever possible

    (2^57)/(2^52) = 2^(57-52) = 2^5 = 32 times speedup

    Powers of 2 sneak up on you! :)

  • Re:2^52 (Score:3, Informative)

    by Anonymous Coward on Friday May 08, 2009 @02:29PM (#27879639)

    you must be REALLY stupid

    typical ignorant american response.

    europeans, particularly the french, tend to use the , for what we use the . for and vice-versa.

    so in american, this:

    2^57 = 144.115.188.075.855.872

    2^52 = 4.503.599.627.370.496

    2^52 / 2^57 = 0,03125 = 3,125%

    becomes this:

    2^57 = 144,115,188,075,855,872

    2^52 = 4,503,599,627,370,496

    2^52 / 2^57 = 0.03125 = 3.125%

    which look like much more reasonable numbers.

  • by swillden (191260) <shawn-ds@willden.org> on Friday May 08, 2009 @04:08PM (#27881225) Homepage Journal

    If you're thinking that "no known attacks" isn't good enough, keep in mind that's as good as it every gets in cryptography

    I think my math teacher would call that a "necessary but not sufficient" condition, I mean anything can be without known attacks by virtue of never having been reviewed. Minimums should include:

    1. Published algorithm, no "secret sauce" security by obscurity 2. Solid peer reviews by other cryptographers, definitely not just the vendor or their hirelings 3. Strong links to well-researched hard mathematical problems

    Absolutely correct, with the partial exception of #3. It would be nice, perhaps, if #3 applied, but most symmetric ciphers and secure hash algorithms rely on complexity rather than hard problems.

  • by molo (94384) on Friday May 08, 2009 @04:43PM (#27881781) Journal

    Did no one really reply to this?

    PGP is the original. Phil Zimmerman, export control, all the history.

    OpenPGP is a specification for all input and output of a PGP system. RFC 4880. Diverges from PGP5.

    GPG == GNUPG. A Free Software implementation of OpenPGP. Has now become the most commonly used OpenPGP implementation. Werner Koch is the project lead.

    -molo

In any formula, constants (especially those obtained from handbooks) are to be treated as variables.

Working...