Preparing To Migrate Off of SHA-1 In OpenPGP 152
jamie found a note on debian-administration.org, the first in a promised series on migrating off of SHA-1 in OpenPGP. "Last week at eurocrypt, a small group of researchers announced a fairly serious attack against the SHA-1 digest algorithm, which is used in many cryptosystems, including OpenPGP. The general consensus is that we should be 'moving in an orderly fashion toward the theater exits,' deprecating SHA-1 where possible with an eye toward abandoning it soon (one point of reference: US govt. federal agencies have been directed to cease all reliance on SHA-1 by the end of 2010, and this directive was issued before the latest results). ... So what can you do to help facilitate the move away from SHA-1? I'll outline three steps that current gpg users can do today, and then I'll walk through how to do each one..."
Stupid question, but... multiple hashes? (Score:4, Interesting)
Really stupid question (not a cryptographer), but is there anything wrong with using multiple hash algorithms (hopefully none derived from one another)? Surely breaking two or more hashes simultaneously would be far harder?
E.g., MD5 is broken. But what if we use both MD5 and SHA-1?
Re:SHA2 Family still secure (Score:2, Interesting)
If I understand the attack correctly, I think most real-world SHA-1 usage should be secure for the time being. From the looks of it, the researchers were able to reduce the time necessary to find two inputs that hash to the same digest. This is very different from finding a second input that hashes to a known digest. If that were the case, common hash applications like storing the digest of passwords or a digital signatures would be vulnerable.
But until researchers can take a known digest value and find an alternate set of input data, most real-world applications should be okay. News like this should make people start to look at when they can conveniently migrate away from SHA-1, but it's not something that requires immediate attention.
Re:In theory, no (Score:3, Interesting)
I mean how long does even the most sensitive data need to remain protected? 30 years?
Whatever the copyright length is...so about forever.
What about SSL certificates? (Score:5, Interesting)
According to x509(1) and ca(1), OpenSSL supports md2, md5, sha1, and mdc2 as options for message digests for certificates. Since MD2 and MD5 are already broken, and SHA1 is now suspect, that leaves just the relatively obscure MDC-2 [wikipedia.org].
Can someone give me a quick rundown? (Score:4, Interesting)
It's been a while since I had to deal with PGP keys and the like, and things have multiplied since then. Is there a simple explanation for the status/compatability/equivalency of...
pgp
openpgp
gpg
gnupg
And any others I'm missing?
Re:2^52 (Score:3, Interesting)
It's a collision attack, that means you can make two files with the same SHA1 in 2^52 operations (via the birthday paradox).
In the best possible application of this attack you can make two files, one good, one incriminating and get somebody to sign the good one.
The two changeling files are generated via a randomizing process so generating meaningful text files really isn't possible, the files have to contain binary data with a 'random' appearance. Examples of this would be crypto keys, SSL certificates, stuff like that.
Anybody who makes his own files and signs them is immune to this attack. The SHA1 of your favorite Linux distro is as safe as ever.
So ... this attack isn't very useful in the real world but it does show that SHA1 is slowly being deconstructed, that relationships are being found between input bits and output bits.