Re: MD5 is an unreliable digest algorithm [was: Re: Key Transition Letter 2009-05-21]
Daniel Kahn Gillmor wrote: > Actually, it is fairly common in certain circumstances: Certifying > that another user's key is correctly bound to their User ID (a.k.a. > "signing someone's key") is effectively making a signature over a > document that you did not originate. Yes. And then if you take a look at how often this happens with MD5 in OpenPGP, you'll find the answer is effectively never, since SHA-1 generally gets used instead. So this attack is mostly a nonissue for OpenPGP usage. > MD5 *is* broken in that it does not provide the exepcted level of > security that a digest of its length implies, particularly for > collision-resistance. I am getting pretty frustrated with how people are misreading, misinterpreting, or outright not listening to the qualifications I am putting on the things I'm saying. My original text was, "it's kind of a stretch to say that it is entirely broken for purposes of email cryptography." The word "entirely" is pretty important there. Algorithms are not, as is commonly believed, to be either "secure" or "insecure". OpenPGP in particular is used in a variety of different ways. There is a continuum of "secure for all known uses of OpenPGP" at one end, and "insecure for all known uses of OpenPGP" at the other, and a lot of gray area in the middle where "secure for some uses" lives. MD5 is in that continuum. It is not /entirely/ broken, as seems to be the common misperception. > So MD5 should indeed be avoided today, and we should be methodically > and reasonably moving away from reliance on SHA-1 in circumstances > where collision-resistance is necessary. Yes. Which is exactly what I've been saying. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
MD5 is an unreliable digest algorithm [was: Re: Key Transition Letter 2009-05-21]
On 05/24/2009 02:15 AM, Robert J. Hansen wrote: > It depends on what sort of threat you're facing. In this case, the MD5 > attack is predicated on the victim signing documents they did not > originate. This is often considered bad policy, since it tends to > facilitate attacks like this. This usage case is kind of rare for GnuPG > -- not unheard of, but rare. Actually, it is fairly common in certain circumstances: Certifying that another user's key is correctly bound to their User ID (a.k.a. "signing someone's key") is effectively making a signature over a document that you did not originate. The only element in a standard OpenPGP certification which changes is the timestamp of the certification itself. The timestamp is fairly predictable (the hash-clash rogue CA X.509 MD5 compromise in December 2008 relied on timestamping with the same granularity that OpenPGP uses). Furthermore, the timestamp is *appended* to the element in question that is signed (as are any additional subpackets that the issuer of the certification elects to include). Certifier-authored appended data is less useful for defeating a collision attack, since signatures are made over digests that are one-pass. With a one-pass digest, an attacker needs only to find a collision in the lead-up to the appended data, and then subsequent appended data can simply be copied from the tail of one message to the other to maintain the collision in the digest output space. > MD5 is best avoided, yes, please don't get me wrong -- but it's kind of > a stretch to say that it is entirely broken for purposes of email > cryptography. MD5 *is* broken in that it does not provide the exepcted level of security that a digest of its length implies, particularly for collision-resistance. The ability to find two messages with identical digests should be no less expensive than a so-called "birthday attack", which is 2^64 digest calculations for a 128-bit digest like MD5. MD5's collision resistance is demonstrably less than 2^64 today. Wikipedia notes attacks that find MD5 collisions in a few hours on a notebook computer. Collision attacks have significant utility in subverting all kinds of crypto-systems including e-mail cryptography, particularly because so many mail clients are willing to ignore invalid or garbage-y data in an e-mail message. SHA-1's collision resistance is weakened as well, reportedly to the level of 2^52 operations (it should be 2^80, since SHA-1 is a 160-bit hash), but (a) no one has seen an exploit of this in the wild yet, and (b) 2^52 is a fairly big number anyway (within reach of well-funded organizations, but not nearly as bad as MD5). So MD5 should indeed be avoided today, and we should be methodically and reasonably moving away from reliance on SHA-1 in circumstances where collision-resistance is necessary. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
Wow Felipe ... WowT On Sun, May 24, 2009 at 8:38 AM, webmas...@felipe1982.com <+gpg2+maniams+aec56db6fa.webmaster#felipe1982@spamgourmet.com> wrote: > > > As of this writing, no algorithm supported by GnuPG has been > > compromised. Even MD5 is still on its feet. > i don't think this is correct. See: > http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/ > > > felipe > > I say Wow here to the simple presentation of the collision and also forwarding this great piece here. The technical gurus of this board may have found the above link boringbut a novice like me found it very interesting I'm looking for similar simple explanations like the above on what a hash functions is and what algorithms are and what other basics should some one know before making _their_own_ choice of algos, hash etc any pointers would be most appreciated regards maniams ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
webmas...@felipe1982.com wrote: > i don't think this is correct. See: > http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/ It depends on what sort of threat you're facing. In this case, the MD5 attack is predicated on the victim signing documents they did not originate. This is often considered bad policy, since it tends to facilitate attacks like this. This usage case is kind of rare for GnuPG -- not unheard of, but rare. MD5 is best avoided, yes, please don't get me wrong -- but it's kind of a stretch to say that it is entirely broken for purposes of email cryptography. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
> As of this writing, no algorithm supported by GnuPG has been > compromised. Even MD5 is still on its feet. i don't think this is correct. See: http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/ felipe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
Dear Robert On Sun, May 24, 2009 at 6:42 AM, Subu wrote: > > > On Sun, May 24, 2009 at 6:15 AM, Robert J. Hansen - r...@sixdemonbag.org > <+gpg2+maniams+ba4eefb302.rjh#sixdemonbag@spamgourmet.com> wrote: > >> gpg2.20.mani...@dfgh.net wrote: >> > What are the algos that are compromised ? or NOT to be used ? If this is >> > too long a list >> >> Sorry to be so late to the party -- >> >> As of this writing, no algorithm supported by GnuPG has been >> compromised. Even MD5 is still on its feet. >> >> That said, the SHA-1 and MD5 algorithms are both looking a little shaky, >> and generally the recommendation seems to be to move away from those >> algorithms. >> >> All other algorithms supported by GnuPG are in good shape. >> >> > I understand that choosing the key size and algo is something personal >> > and others cant decide. but I'm trying to know the choice >> >> Please don't do this. The defaults are the defaults for a very good >> reason: they're good defaults. With the exception of "move away from >> SHA1", please do not mess around with the defaults more than you >> absolutely have to. >> > > > > > Thanks for the reply and advice. I shall follow the same > > Regards > maniams > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
gpg2.20.mani...@dfgh.net wrote: > What are the algos that are compromised ? or NOT to be used ? If this is > too long a list Sorry to be so late to the party -- As of this writing, no algorithm supported by GnuPG has been compromised. Even MD5 is still on its feet. That said, the SHA-1 and MD5 algorithms are both looking a little shaky, and generally the recommendation seems to be to move away from those algorithms. All other algorithms supported by GnuPG are in good shape. > I understand that choosing the key size and algo is something personal > and others cant decide. but I'm trying to know the choice Please don't do this. The defaults are the defaults for a very good reason: they're good defaults. With the exception of "move away from SHA1", please do not mess around with the defaults more than you absolutely have to. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
Dear Members What are the algos that are compromised ? or NOT to be used ? If this is too long a list What are the Algos that are _to_be_ /or/ _could_be_ used /or/ _not_yet_compromised_ I understand that choosing the key size and algo is something personal and others cant decide. but I'm trying to know the choice regards maniams ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Allen Schultz escribió: > For the reason of SHA1 issues in the news, I've recently set up > a new OpenPGP key, and > will be transitioning away from my old one. ... > To fetch my new key from a public key server, you can simply do: > > gpg --keyserver pgp.mit.edu --recv-key DAD4736B Don't use that keyserver, it can damage your key. Try pool.sks-keyservers.net Probably most people won't sign your new key, unless they have signed your old key. WoT usually requires people exchanging keys face-to-face or relying on other signatures to know the key belongs to the right person... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKFbEmAAoJEMV4f6PvczxArfkH/jb/nH5hjvr7DAE2SPNHvbOg N6Lexa1krIwbY815WNGWmkGLsRnQWxbJ0OiCEIhR9OIfSo4aki69pBKh1PC72R9U b4xalL/5G58Wo3gAJEnaeKEmIYc437RS8kYwVt9kYAd0gPq1zSO3zqAhCtc8F1pw A7tJoXkGmbZOf6XzHAEXtA548P0f6rOWpVityJ8Sto5NZB5Qf/G1T5wMWJyoSed/ PR5orl7poPRNZoTUR+REivqYUU9JTCoGvFLMWvGQf5vAErcZ93lwqNDMJdfK+fx7 Wbsd9NGDFppXzcCgf9sN7w+1oek6GfeX3qFdVzvI5ymfHWDuGmOfjAH3qZ/36VM= =qDQ2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Allen Schultz wrote: > Thank you for the information. I will clearsign this using the > new key only. > Let me know if this signature does not work either. OpenPGP Security Info UNTRUSTED Good signature from Allen Schultz (aldaek) Key ID: 0xF55651E0 / Signed on: 5/21/2009 12:47 PM Key fingerprint: 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B Works much better with just a single Signature. :-D JOHN 8-) Timestamp: Thursday 21 May 2009, 14:17 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn5019: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKFZreAAoJEBCGy9eAtCsPooYIAJvpfHU++TMnzzIk+WeK2TJt /aHasNt68bdMw0O9MDc7pHkzuH4tEpW5LSa9sf9M6/EexbNovLBkb1JFMeGajHSc VrTtiozjXos33qcL9D155gCHb//T0QtFKvDKZWCsYP403wtlMEiQL8YiP3lwGmLk H3+g0O0/rS0k+ZSyiEYjYk0n92W40SoOOJyBtN87DEjW/av66OQRJSFjSO2Avk1j OZRHvkh+HM/xZWbNI1ffCaaGJKMSTLHKA/xtMOiC+NdUpWuNo+pZvVQTZLqjI4NW JM+qQU0aeS5tSo9EwqMKflBGOWPDm5VL6+mVBMe76+uawOqSXQL45Tp8dBeBons= =jnd6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 21, 2009 at 7:31 AM, Raimar Sandner wrote: > After all the _old_ key could have been compromised, that is what I meant :) Thank you for the information. I will clearsign this using the new key only. EE79C636 has already been updated [and uploaded] with an expiration date. This key is outdated due to the SHA-1 break in collisions. pub 1024D/EE79C636 2009-04-24 [expires: 2009-08-19] Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 1512 579A F712 EE79 C636 uid Allen Schultz uid [jpeg image of size 6128] sub 2048g/762B1E36 2009-04-24 As far as signing or verifying through email. The subject has already been discussed. Again, it's your choice. I may sign at a "unverified - fingerprint through unsecure medium" per the questions gpg asks. It does not validate the rest of my public ring. But that was only done with the older EE79C636 as of the signing of this email. Let me know if this signature does not work either. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iQEcBAEBCAAGBQJKFYWWAAoJEMNyjCz1VlHgo3YH/05JARgW8utXay9rR7nIe7lI b1aRHYxTVslXKEKOiGk4PqAWkVCPbdly2dOzta/q1r+yq1HOXDe9v8mfMFstJdMd MTDhZd7QF9Cc2o586Nz1zHbGqkNvBb4U3oO+4AkgjmZMzL3IMXeYvUCvWbKHm7uh Bd0ofmYC/ABFCKR0jSrn/Zfs3Qf0fAXomPuuPSSpTghVZyeTyAvwtnda5tqvmjmh 2DK2SGJ0c6yC8GbHFzS2np8plL957FpnEHfrTkxfuOw6GVNixOvrcAlyepkX2rW+ Vi3KfSrVIp2KOxTy6pOSkXLnweFY5C9fKsgEpS2hnUpy43L0YeChu7bQDRWHKlA= =wFD0 -END PGP SIGNATURE- -- Allen Schultz pub 3072R/DAD4736B 2009-05-20 Key fingerprint = 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B uid Allen Schultz (aldaek) uid [jpeg image of size 6128] sub 2048R/F55651E0 2009-05-20 [expires: 2010-05-20] sub 2048R/5687B83E 2009-05-20 [expires: 2010-05-20] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
On Thursday 21 May 2009 15:15:18 Raimar Sandner wrote: > I believe (an I think others do too) it is good praxis to not sign new keys > even if you have signed the old one and the new key is signed by the old > one, without personally checking with the keyholder first. After all, the > new key could have been compromised. After all the _old_ key could have been compromised, that is what I meant :) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
Hello On Thursday 21 May 2009 11:35:44 Allen Schultz wrote: > For the reason of SHA1 issues in the news, I've recently set up > a new OpenPGP key, and > will be transitioning away from my old one. > This message is signed by > both keys to certify the > transition. I have not recieved signatures with your mail, but Charly's reply implicates that there is a signature, though it does not validate. I have switched to a new mail system, I hope it does not strip away signatures :-/ > If you already know my old key, you can now verify that the new > key is > signed by the old one: > > gpg --check-sigs DAD4736B I believe (an I think others do too) it is good praxis to not sign new keys even if you have signed the old one and the new key is signed by the old one, without personally checking with the keyholder first. After all, the new key could have been compromised. > If you don't already know my old key, or you just want to be > double > extra paranoid, you can check the fingerprint against the one > above: > > gpg --fingerprint DAD4736B If someone does _not_ know the old key, checking the fingerprint against an untrusted source like an eMail is certainly not enough. It is crucial for the web of trust that key/UID combinations are only signed after the fingerpint has been confirmed by the keyholder in person, and the UID has been checked against an official identification. I think the best way to have your new key integrated in the web of trust is to visit a keysigning party, or to look up key signers in your area at biglumber.com. Raimar signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Transition Letter 2009-05-21
Allen Schultz wrote the following on 5/21/09 5:35 AM: [...] > > Please let me know if there is any trouble, and sorry for the > inconvenience. [...] No inconvenience. Results of signature verification and key usage: -BEGIN GPG OUTPUT- gpg: Signature made Thu May 21 05:34:13 2009 EDT using RSA key ID F55651E0 gpg: BAD signature from "Allen Schultz (aldaek) " -END GPG OUTPUT- $ gpg --edit-key F55651E0 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 3072R/DAD4736B created: 2009-05-20 expires: never usage: SC trust: unknown validity: unknown sub 2048R/F55651E0 created: 2009-05-20 expires: 2010-05-20 usage: S sub 2048R/5687B83E created: 2009-05-20 expires: 2010-05-20 usage: E [ unknown] (1). Allen Schultz (aldaek) [ unknown] (2) [jpeg image of size 6128] Command> check uid Allen Schultz (aldaek) sig!3DAD4736B 2009-05-20 [self-signature] sig! EE79C636 2009-05-20 Allen Schultz uid [jpeg image of size 6128] sig!3DAD4736B 2009-05-20 [self-signature] To sum up (as far as I can sum up). 1. Your message (who shows in the PGP headers both SHA1 and SHA256) shows that signature has been done using the signing subkey F55651E0 of primary key DAD4736B. 2. Signature does not verify. Your photo file can be displayed. 3. Your primary key DAD4736B has been signed using EE79C636 (as you said it would be): $ gpg --edit-key EE79C636 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/EE79C636 created: 2009-04-24 expires: never usage: SC trust: unknown validity: unknown sub 2048g/762B1E36 created: 2009-04-24 expires: never usage: E [ unknown] (1). Allen Schultz Command> check uid Allen Schultz sig!3EE79C636 2009-04-24 [self-signature] 4. I cannot sign your key, not because I am double extra paranoid or even simple basic paranoid (which I am), but because I don't know you, I can't ascertain that you are who to claim to be, or that the above key or keys belong to you. There are some basic rules to the Web of Trust. Best regards, Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Key Transition Letter 2009-05-21
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256,SHA1 For the reason of SHA1 issues in the news, I've recently set up a new OpenPGP key, and will be transitioning away from my old one. The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re- integrated into the web of trust. This message is signed by both keys to certify the transition. the old key was: pub 1024D/EE79C636 2009-04-24 Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 1512 579A F712 EE79 C636 uid Allen Schultz uid [jpeg image of size 6128] sub 2048g/762B1E36 2009-04-24 And the new key is: pub 3072R/DAD4736B 2009-05-20 Key fingerprint = 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B uid Allen Schultz (aldaek) sub 2048R/F55651E0 2009-05-20 [expires: 2010-05-20] sub 2048R/5687B83E 2009-05-20 [expires: 2010-05-20] To fetch my new key from a public key server, you can simply do: gpg --keyserver pgp.mit.edu --recv-key DAD4736B If you already know my old key, you can now verify that the new key is signed by the old one: gpg --check-sigs DAD4736B If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above: gpg --fingerprint DAD4736B If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key: gpg --sign-key DAD4736B Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system): gpg --armor --export DAD4736B | mail -s 'OpenPGP Signatures' allen.schu...@gmail.com Or you can just upload the signatures to a public keyserver directly: gpg --keyserver pgp.mit.edu --send-key DAD4736B Please let me know if there is any trouble, and sorry for the inconvenience. Regards, --ads PS: Transiition Letter idea copied from dkg (http://fifthhorseman.net/key- transition-2007-06-15.txt). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iQEcBAEBCAAGBQJKFSAVAAoJEMNyjCz1VlHgjWMH/iU0U/VR1/zdpM93pL72/sfc E4OBBaz6LtHmvYJTS+lQ8EYBf9dMTd+R8r2Nh4tKCYj8oY6HhffCIhGUrgE73Gba QQbZTE56pmWtwGwiki2a+rhK9y8du8X2pajBJurTqeSNRMv8q3iGkQPI/Wn6J/l3 gBdZYZ1zqJcFIYXzzm4y10+rOtShOuOwz43DrGas6cW4FETJGWA1WUQfoLYQ5L2c mVf4y1zR6DY4nJ8zgpsJeWO5J3UJQaqpRKDvl2Ls3OdcZHJ0n1S3v1J1MK2X5Q5K A5dKauvO82YGpq5c8JR1Zp2XCdDKTZ2qxRdgESCRj3X68uGceRTS9gd7WN5whZqI RgQBEQIABgUCShUgFQAKCRBXmvcS7nnGNlcqAJ9l352qqohUIVoVE/Z+EA1HzXPQ +gCfYCXuRN9aDq/HIwig5s9ElXBWVbQ= =BThX -END PGP SIGNATURE- -- Allen Schultz ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
