On 7/11/2012 9:23 PM, brian m. carlson wrote: > Really? I'm pretty sure that I'm not generating SHA-1 signatures.
This is not necessarily relevant. Here's a thought experiment for you. Someone creates a DSA-1k key and uses --cert-digest-algo SHA256 and --enable-dsa2. This creates 160-bit truncated SHA256 hashes. This person is at risk from a SHA-1 preimage collision, *despite the fact they've never generated a single SHA-1 signature*. All the attacker has to do is create a message which SHA-1s out to the same value as the truncated SHA-256 of a legitimate message. At that point, the forgery becomes possible. I don't specifically know how you're using SHA-256. Nor do I especially want to know. What I do know is that there are a surprising number of ways a SHA-1 preimage attack can screw over even people who have never used SHA-256. Don't put too much faith in "if I switch to SHA-256 I don't need to worry about the SHA-1 attacks." It's probably not true.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users