Re: why is SHA1 used? How do I get SHA256 to be used?
Am Mi 11.07.2012, 22:10:11 schrieb Daniel Kahn Gillmor: If the attacker can convince you to sign a chosen text (perhaps one that looks reasonable), then a failure in the digest's collision-resistance could very well be used to replay that signature over a different (but colliding) text (which may not be something reasonable). This does not require a preimage collision. But that is a problem only in that case that a collision algorithm is capable of creating (mostly – some random data may be hidden in comments) useful data, isn't it? I am not familiar with the collision algorithms. Is all the effort useless if the reasonable document is slightly changed? I guess so. Does it make sense to require every document which one is to sign to be slightly changed (even if it's just a typo but this change would have to be determined by oneself not by the other party) before signing? I'm not saying these attacks exist practically today against SHA1 (i don't know if they do), but collision-resistance is the relevant property, not resistance to pre-image attacks. But the problem of collision-resistance can be addressed organizationally, pre-image attacks cannot. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Wed, 11 Jul 2012 22:55, nicholas.c...@gmail.com said: But one thing that might be helpful to explain is this: what needs to be in the V5 key format aside from the change in fingerprint hash? Aside from that issue, the V4 key format seems to have been resilient. What are the other issues that need to be addressed? We need to check the WG archives for a list. What I can remember are: - A new fingerprint scheme - A hard (non-changeable) expiration time - A different way to express timestamps (Y2038 annoyance and the hard Y2106 problem). An 8601 timestamp string should do. - Get rid of the old and optional protection schemes or even switch to a modern standard one. There are related things we need to change for signatures packets. It might also be a good time to replace PKCS#1.5, Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 07/12/2012 08:16 AM, Werner Koch wrote: On Wed, 11 Jul 2012 22:55, nicholas.c...@gmail.com said: But one thing that might be helpful to explain is this: what needs to be in the V5 key format aside from the change in fingerprint hash? Aside from that issue, the V4 key format seems to have been resilient. What are the other issues that need to be addressed? We need to check the WG archives for a list. What I can remember are: - A new fingerprint scheme - A hard (non-changeable) expiration time - A different way to express timestamps (Y2038 annoyance and the hard Y2106 problem). An 8601 timestamp string should do. - Get rid of the old and optional protection schemes or even switch to a modern standard one. There are related things we need to change for signatures packets. It might also be a good time to replace PKCS#1.5, some other points (from memory): * Issuer subpacket should use a full fingerprint, rather than a short keyID * designated revoker signature should embed full key instead of fingerprint. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Wed, 11 Jul 2012 07:56, r...@sixdemonbag.org said: V5 discussions will not kick off in earnest until NIST announces the new hash standard, or so I've heard people from the working group say. And even then it will take 5 years or so until it it has been deployed widely. Even GnuPG 1.2 is still in use; despite that it has been declared EOL ages ago. The fingerprint and the special features building upon it (e.g. revocation keys) are targets for an attack based on a SHA-1 *pre-image* attack. We need to analyze the possible problems and if needed deploy workarounds for them. SHA-256 for signatures is already in widespread use - thus I don't see a problem right now. The real problem I see for GnuPG is that its maintenance is heavily under-financed and the pool of volunteers, taking care of it, is quite small. I am not sure whether PGP is in a better position; giving its current owner. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: why is SHA1 used? How do I get SHA256 to be used?
I'd much rather fail to generate a signature than generate one using an algorithm which is very weak. My feelings as well. Date: Tue, 10 Jul 2012 23:59:45 + From: sand...@crustytoothpaste.net To: gnupg-users@gnupg.org Subject: Re: why is SHA1 used? How do I get SHA256 to be used? On Tue, Jul 10, 2012 at 10:10:12AM -0400, Robert J. Hansen wrote: SHA1 is no longer secure. At the present moment, SHA-1 is just fine. In the fairly near future, anywhere between six months to a few years, I expect this will change. But SHA1 is no longer secure is factually untrue, at least where OpenPGP is concerned. SHA-1 is considered cryptographically broken. It does not provide the level of security it claims. Practically, collisions can be generated for 75 of the 80 rounds[0]. I hardly consider an algorithm this close to a collision just fine. There's no need to run screaming to the exits, but a quick and orderly transition has been appropriate for some time. The time to move to something else is ending soon. I don't recommend SHA-1 for new signatures, but if you have a choice between sending a SHA-1 message which your recipient can verify or a SHA-256 message which your recipient can't, well -- that math's pretty easy to do. SHA-1 isn't a good choice for new signatures, but it's a lot better than no signature. I don't generate signatures with algorithms I consider insecure because that leads to people being able to forge signatures in my name. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. I'm not going to cater to people using really old versions, especially when security is involved. The good news is that no one's asking you to. You're only being advised, don't use --digest-algo SHA256, it's unwise and can break interoperability. Use --personal-digest-preferences SHA256 instead. This is the same advice that has been given by the GnuPG developers, by the Enigmail team, and by many other people within the community. It's a best-practices thing for GnuPG. The question is, will GnuPG fall back to SHA-1 if it's not in my digest preferences? I'd much rather fail to generate a signature than generate one using an algorithm which is very weak. [0] http://eprint.iacr.org/2011/641 -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Wed, Jul 11, 2012 at 11:25 AM, Werner Koch w...@gnupg.org wrote: On Wed, 11 Jul 2012 07:56, r...@sixdemonbag.org said: V5 discussions will not kick off in earnest until NIST announces the new hash standard, or so I've heard people from the working group say. And even then it will take 5 years or so until it it has been deployed widely. Even GnuPG 1.2 is still in use; despite that it has been declared EOL ages ago. The fingerprint and the special features building upon it (e.g. revocation keys) are targets for an attack based on a SHA-1 *pre-image* attack. We need to analyze the possible problems and if needed deploy workarounds for them. SHA-256 for signatures is already in widespread use - thus I don't see a problem right now. The real problem I see for GnuPG is that its maintenance is heavily under-financed and the pool of volunteers, taking care of it, is quite small. I am not sure whether PGP is in a better position; giving its current owner. A bleak but realistic assessment. But one thing that might be helpful to explain is this: what needs to be in the V5 key format aside from the change in fingerprint hash? Aside from that issue, the V4 key format seems to have been resilient. What are the other issues that need to be addressed? Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Tue, Jul 10, 2012 at 08:15:32PM -0400, Robert J. Hansen wrote: There tends to be a lot of scaremongering in the world of crypto. I think it's generally wise to be careful in our declarations. It is enough to say SHA-1 is known to not meet its design specifications and that some fairly devastating attacks against it will likely be coming along in the near future. That's already a good enough reason to reduce our usage of and dependency upon SHA-1. There's no need to fearmonger about how the algorithm has already collapsed, because it hasn't. I'm not saying it has collapsed. I'm saying that it has weaknesses, and that the number and magnitude of the weaknesses continue to grow, and that I think it is imprudent to use SHA-1. I would much rather people make the move to something better now, because otherwise we'll all be stuck with SHA-1 long after it's insecure, just like it's been with MD5. Practically, collisions can be generated for 75 of the 80 rounds[0]. Right now, only random collisions can be generated. That's not any use in forging a signature, which requires a preimage collision. A cryptographic break is not the same as a practical exploit. It's an indication of weakness. I've seen lots of people that work with crypto claim that we don't need larger margins of security. The cost of computation is so small that I'd rather overdo it than regret my decision later. I don't generate signatures with algorithms I consider insecure because that leads to people being able to forge signatures in my name. Then you need to stop using OpenPGP altogether, because you're already generating SHA-1 signatures with your certificate which can be lifted and dropped onto new messages if/when a preimage attack is introduced against SHA-1. Really? I'm pretty sure that I'm not generating SHA-1 signatures. This is signed using SHA-512, SHA-384, or SHA-256. When I sign another key, I use SHA-512. At least that's what I've configured GnuPG to do, and I'd be very surprised if it did not, in fact, do that. If it is using SHA-1, please report it to the list: it's a bug. Let me make this really clear: if you believe SHA-1 is insecure, you believe OpenPGP is insecure and you should stop using it. SHA-1 is hardwired into the OpenPGP spec in a few different places and, as of right now, cannot really be removed. The new V5 key format will almost certainly change this, but V5 won't be coming out for a good long while yet. SHA-1, for my current key, is being used to generate my fingerprint. It's being used in MDCs when I encrypt a message. And it's being used instead of the default checksum for my private key. That's it. Since my private key remains solely in my possession and is not subject to tampering, what checksum is used is really irrelevant. Since I sign my messages when I encrypt them, the MDC is essentially redundant, since it would be apparent that they'd been tampered with. It is extremely unlikely that an attacker would be able to tamper with the encrypted message such that they could produce a valid, signed unencrypted message. And I'm personally not happy with the use of SHA-1 for the fingerprint, but it'll have to do for a while. I wish we had chosen RIPEMD-160 instead. I feel it's a better, more conservative design. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. You've *already done this*. Really? Can you show an example? If you truly believe this, stop using OpenPGP. Is my statement not true for MD5? -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 7/11/2012 9:23 PM, brian m. carlson wrote: If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. You've *already done this*. Really? Can you show an example? If you *ever* signed a message with SHA1 and posted it publicly, (maybe in the 'olden days' before any vulnerability in SHA1 was known) then that signature could become a source for a forgery, whenever SHA1 becomes broken enough. (A clever, malicious attacker could backdate the clock, and have a forgery of something you did in the past, when you couldn't claim: Hey, that's an obvious forgery! I'm on record as saying I would never use SHA1 to sign anything anymore!) vedaal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJP/kC7AAoJEFBvT6HTX7GGXV0P/jE4sQEIohwQ4s89wLRzLkji //WimhWcxBvuzSW/uTNaMwG1QwkDA/nbYwa3VUMv3BXNFA9bRaiLSG0QKo/4INo3 PPUqlC3zIS7H7up5BxU2kKw7F45IIjkYuny7A5cZr/0wldyThe6OJrGhO7AjnIv9 YfHc5ztaG115ch7fF5S2SqX2ygsoAGromsfo/0OyAtQssmFIzuEsTpDNQgFjieh7 rVPIIqedITwpcV+BHH5QSETVjC0ZzERMokC/RaJ+Ta14IwHfpSv5cAkFoqTMouiA oJxrGWROepnlD371gNZ/2dD1N76LBqGrxIMrc2ZbDI9UvM3GrAqv2aqNn0LOdfMz t/JhGj1DGUeRyCgR2R4+TNY9L5yh+rq0/1oMGmzDg7D1x3uhJFWChDSY2cPc+r+x xqjrsgEcQejcSOD0YaDSOTII/cMY6Xm8pB60GaVtw5uTAErO4aPlat977JhO97IF CWHp9VwdbKl8BepiKhq8N4yyIA/1pDVtYQt2Ua3QSUJ4uNUiUGyhrypkLdViC/ws 9jj7Hb1J4f7bjko+gGi36r0OGHd6zBE+a1auV6tli3fBvss1BJ8lSNqUVPO/leqB CNjNQNMF1GJnOqU4UvTT84KHnQBCHGWneS61a94YiOTyYQqs0BAYc2y/z6JaQY/u JmW/+vlA5PAoKr0aRSKe =8Ycl -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/11/2012 9:23 PM, brian m. carlson wrote: Really? I'm pretty sure that I'm not generating SHA-1 signatures. This is not necessarily relevant. Here's a thought experiment for you. Someone creates a DSA-1k key and uses --cert-digest-algo SHA256 and --enable-dsa2. This creates 160-bit truncated SHA256 hashes. This person is at risk from a SHA-1 preimage collision, *despite the fact they've never generated a single SHA-1 signature*. All the attacker has to do is create a message which SHA-1s out to the same value as the truncated SHA-256 of a legitimate message. At that point, the forgery becomes possible. I don't specifically know how you're using SHA-256. Nor do I especially want to know. What I do know is that there are a surprising number of ways a SHA-1 preimage attack can screw over even people who have never used SHA-256. Don't put too much faith in if I switch to SHA-256 I don't need to worry about the SHA-1 attacks. It's probably not true. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
Am Mi 11.07.2012, 23:13:00 schrieb vedaal: (A clever, malicious attacker could backdate the clock, and have a forgery of something you did in the past, when you couldn't claim: Hey, that's an obvious forgery! I'm on record as saying I would never use SHA1 to sign anything anymore!) So what? A signature over a broken hash alone is worthless no matter what its timestamp says. If you want to prove anything by a signature at a time when the hash is considered broken you have to prove that the signature existed before that time. And this proof can obviously not be based on the broken hash. Thus you have to sign all signatures you want to be able to use after the announcement that they are broken (which can, of course, come surprisingly) by another hash or rather you have to get them signed by a trusted third party if you want to use them against someone. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
You're arguing two different contradictory things here: I'm not saying these attacks exist practically today against SHA1 (i don't know if they do), but collision-resistance is the relevant property, not resistance to pre-image attacks. And then: The places where it is thoroughly baked in are the MDC (not relevant cryptographically) and the V4 fingerprint (where the relevant property is resistance to a preimage attack instead of resistance to generated collisions. The relevant property can be resistance to preimage attack or it can be collision resistance. Pick a property and argue it, please. :) I am far more concerned about preimage attacks (which are the ultimate game-over) than random collisions (which affect a smaller fraction of the userbase). I'm not saying that random collisions are not troubling in their own right. Where exactly has the original poster signed anything over an MD5 digest? Refer to my subsequent message, where I backed off from that statement and clarified I was referring to the poster was already relying on the safety of SHA-1 -- and was just in denial about it. If you believe SHA-1 is insecure and you want to avoid it at all costs, you need to avoid OpenPGP. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 07/10/2012 06:15 PM, Robert J. Hansen wrote: Right now, only random collisions can be generated. That's not any use in forging a signature, which requires a preimage collision. If the attacker can convince you to sign a chosen text (perhaps one that looks reasonable), then a failure in the digest's collision-resistance could very well be used to replay that signature over a different (but colliding) text (which may not be something reasonable). This does not require a preimage collision. I'm not saying these attacks exist practically today against SHA1 (i don't know if they do), but collision-resistance is the relevant property, not resistance to pre-image attacks. SHA-1 is hardwired into the OpenPGP spec in a few different places and, as of right now, cannot really be removed. The places where it is thoroughly baked in are the MDC (not relevant cryptographically) and the V4 fingerprint (where the relevant property is resistance to a preimage attack instead of resistance to generated collisions. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. You've *already done this*. Where exactly has the original poster signed anything over an MD5 digest? --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hello Robert ! Robert J. Hansen r...@sixdemonbag.org wrote: I think that by default, --gnupg is in use; --gnupg means --openpgp This means strict OpenPGP behaviour: MD5, SHA1, RIPEMD160 Nope. Try using --digest-algo SHA256 in the command line or GPG.CONF; may be you'll need to suppress --personal-digest-preferences from GPG.CONF (I don't know). I feel like I've said this several times in the past few months. Let me say it one more time, loudly: DON'T USE --cipher-algo OR --digest-algo UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING AND WHY. IT'S EASY TO CREATE MESSAGES YOUR RECIPIENT CANNOT READ. USE THE --personal-X-preferences INSTEAD. The question was: why does GPG uses another preference that the primary one? I've the same problem, this ClearSign message is in RIPEMD160 despite it's not the first choice, and obviously there is no receipient here. - -- Laurent Jumet KeyID: 0xCFAF704C -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) iHEEAREDADEFAk/7xaYqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMvUMAoJo9kNtbXW39GOHMSmB8EMaDHu9DAKCw q2MNfcNyx5aLv/titlDxloqy2g== =1mFk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/10/2012 1:59 AM, Laurent Jumet wrote: The question was: why does GPG uses another preference that the primary one? The short answer is, because it has to, and because you've configured it that way. I've the same problem, this ClearSign message is in RIPEMD160 despite it's not the first choice, and obviously there is no receipient here. What are the contents of your personal-digest-preferences? Also note that you're using a 1k DSA key for signing, so is it really so surprising you're using a 160-bit hash algorithm? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Robert J. Hansen wrote: On 7/9/2012 10:04 PM, vedaal wrote: which open-pgp implementation can't read/verify SHA-256 PGP 8.0 or before. SHA-256 was introduced in 8.1, if I recall correctly. There are still a *lot* of people using 6.5.8. I used the information in this article : http://www.debian-administration.org/users/dkg/weblog/48 If there are errors or omissions I'd be interested to learn, as the article is now over 3 years old. - -- Andy Ruddock - andy.rudd...@rainydayz.org (GPG Key ID 0xB0324245) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJP++7MAAoJECqtbbewMkJFUikQAIqZvd1GpSwLxzhkFiaVyt5J igyqJeC/ad2ZVdrAhL+39LHnpeh4hrmpHriDH9bamHzEGS46Z3YH2OyN4eRdszOc 0WHrWTRL+ZmswR9zz5RdCpBb9OgHJ7IXhP5xvrLFu13yqCc1HdF3RgLijH8E4JMv 7FttDIFrllf0dOW6X3ZFXbVazsvvc1QzILc4Io76pAZq/KuS7Snr/nTVMts3MpvL YUy7UeqzSTAkqIFAvgRmP6rfd+gVXeJiUc2hio/2cD+/0mzAwrnfsbipRsjvkYNi 3Irzd4qaIoqi5LOlQ6f0wFGoiuqQPKSlr74TApvv4PEBDoziVzqywI8tlNx1keeS gUsD1BV2Q1I+gm/skOoIIqYvXVV8aMouey6OZ6Dtzw1QH4UJOe2F7kx60pvyDpQe tllRdxsxrHmoHXLrNOYoY7Ncpia8soEUkvIX8ZVG40PNhIPxRlFTD8tWJSt+YNe1 X9OaVWUiIA3QveDPszeyfXlQwTK0dlUfJB0zZI16kTaSpPn1wIYaX2q8sKYgFtfA 0UAGCpkGCfMa2eDE5RILyNEYj6d1eKJ8kCGwyQKLu6O3ck8rfEAx29W1sMa6n/D4 JdEqOl8CoVF5LhRFtzfO85gKLaotv1vsfCAsZfC8R+w8dhQZN9pdrHp3KmykrQM9 LunQ9W3QGT1CnVDcawnX =kBZf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/10/2012 4:58 AM, Andy Ruddock wrote: I used the information in this article : It is still substantially accurate and useful, as near as I can tell. (I still think cert-digest-algo sha256 is unnecessary at this point in time, but I understand why he believes otherwise, and his perspective is hardly an unreasoned one.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: why is SHA1 used? How do I get SHA256 to be used?
Hauke, thank you so much for explaining this. Would you be so kind as to describe how exactly I should edit my config file to accomplish SHA256? There's lots of advice out there and I'd like to make sure I don't make any mistakes when configuring. Thank you. From: mailinglis...@hauke-laging.de To: gnupg-users@gnupg.org Subject: Re: why is SHA1 used? How do I get SHA256 to be used? Date: Mon, 9 Jul 2012 23:56:11 +0200 Am Mo 09.07.2012, 17:45:37 schrieb Sam Smith: Here's the result of ShowPRef for my key: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA256, SHA1, SHA384, SHA512, SHA224 Compression: ZLIB, BZIP2, ZIP, Uncompressed SHA1 is showing up second. So when I sign a message, why isn't SHA256 used? Your key tells others what to do. For what you do yourself (when I sign a message) you have to edit the config file. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: why is SHA1 used? How do I get SHA256 to be used?
Yeah, there's still people on Internet Explorer 6 7 too and they cause all kinds of problems for web developers. If people using really old versions can't read something, that's really their burden to update their software. SHA1 is no longer secure. I'm not going to cater to people using really old versions, especially when security is involved. Date: Mon, 9 Jul 2012 23:10:27 -0400 From: r...@sixdemonbag.org To: gnupg-users@gnupg.org Subject: Re: why is SHA1 used? How do I get SHA256 to be used? On 7/9/2012 10:04 PM, vedaal wrote: which open-pgp implementation can't read/verify SHA-256 PGP 8.0 or before. SHA-256 was introduced in 8.1, if I recall correctly. There are still a *lot* of people using 6.5.8. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
SHA1 is no longer secure. At the present moment, SHA-1 is just fine. In the fairly near future, anywhere between six months to a few years, I expect this will change. But SHA1 is no longer secure is factually untrue, at least where OpenPGP is concerned. I don't recommend SHA-1 for new signatures, but if you have a choice between sending a SHA-1 message which your recipient can verify or a SHA-256 message which your recipient can't, well -- that math's pretty easy to do. SHA-1 isn't a good choice for new signatures, but it's a lot better than no signature. I'm not going to cater to people using really old versions, especially when security is involved. The good news is that no one's asking you to. You're only being advised, don't use --digest-algo SHA256, it's unwise and can break interoperability. Use --personal-digest-preferences SHA256 instead. This is the same advice that has been given by the GnuPG developers, by the Enigmail team, and by many other people within the community. It's a best-practices thing for GnuPG. Don't use --digest-algo. Use --personal-digest-preferences. That's all. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
Am Di 10.07.2012, 08:26:14 schrieb Sam Smith: Hauke, thank you so much for explaining this. Would you be so kind as to describe how exactly I should edit my config file to accomplish SHA256? As Rob already mentioned: You need --personal-digest-preferences (which is just personal-digest-preferences in the config file). You put your favourite first, e.g.: personal-digest-preferences SHA256,RIPEMD160,SHA1 Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hello Hauke ! Hauke Laging mailinglis...@hauke-laging.de wrote: As Rob already mentioned: You need --personal-digest-preferences (which is just personal-digest-preferences in the config file). You put your favourite first, e.g.: personal-digest-preferences SHA256,RIPEMD160,SHA1 Do you succeed in having a SHA256 hash with this statement? How can I explain that I have RIPEMD160 instead? - -- Laurent Jumet KeyID: 0xCFAF704C -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) iHEEAREDADEFAk/8PwwqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMRUgAnAli775gSYM8jzLws2QUIzFWs1OUAJ4v +nb4d0H7K5EsWQ7Vu9Hv9/r3mQ== =63v/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 10/07/12 16:39, Laurent Jumet wrote: Do you succeed in having a SHA256 hash with this statement? How can I explain that I have RIPEMD160 instead? Like Rob said, Also note that you're using a 1k DSA key for signing, so is it really so surprising you're using a 160-bit hash algorithm? To truncate SHA-256 to fit in a 1k DSA signature, specify --enable-dsa2. I personally don't use DSA, so there might be some more interesting options related to it. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
Am Di 10.07.2012, 16:39:20 schrieb Laurent Jumet: personal-digest-preferences SHA256,RIPEMD160,SHA1 Do you succeed in having a SHA256 hash with this statement? Yes, I do. Just tried. How can I explain that I have RIPEMD160 instead? Two possibilities come to my mind: 1) I created a signature using gpg only. Did you do that, too, or did you use some GUI or calling program (MUA)? 2) Are there conflicting statements in your config file? Maybe you can check by calling gpg --options /dev/null --personal-digest-preferences SHA256 --detach-sign... gpg --options /dev/null --personal-digest-preferences SHA256,RIPEMD160 ... Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Jul 10, 2012, at 10:39 AM, Laurent Jumet wrote: Hauke Laging mailinglis...@hauke-laging.de wrote: As Rob already mentioned: You need --personal-digest-preferences (which is just personal-digest-preferences in the config file). You put your favourite first, e.g.: personal-digest-preferences SHA256,RIPEMD160,SHA1 Do you succeed in having a SHA256 hash with this statement? How can I explain that I have RIPEMD160 instead? Your key is a 1024-bit DSA key. That key can only use a 160-bit hash, so you can use either RIPEMD160 or SHA-1. The rules for hash choice in DSA were relaxed a bit later, to allow for a 160-bit hash *or* a larger hash truncated to fit. To enable that, you can use --enable-dsa2, and you should be able to get SHA256 - but note it's SHA256 truncated down to 160 bits. You can't use more than 160 bits without a larger DSA key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/10/2012 10:39 AM, Laurent Jumet wrote: Do you succeed in having a SHA256 hash with this statement? How can I explain that I have RIPEMD160 instead? I apologize for repeating myself here: I don't mean to be condescending, but apparently my answer was not clear. I'll try to be more clear. You're using a DSA-1k key. It's limited to 160 bits. That means you cannot use SHA256. The best you can get is SHA256 truncated down to 160 bits, but at that point there's no difference between SHA256 and RIPEMD160. They both have the exact same margin of security: there are no known attacks against either. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Tue, Jul 10, 2012 at 10:10:12AM -0400, Robert J. Hansen wrote: SHA1 is no longer secure. At the present moment, SHA-1 is just fine. In the fairly near future, anywhere between six months to a few years, I expect this will change. But SHA1 is no longer secure is factually untrue, at least where OpenPGP is concerned. SHA-1 is considered cryptographically broken. It does not provide the level of security it claims. Practically, collisions can be generated for 75 of the 80 rounds[0]. I hardly consider an algorithm this close to a collision just fine. There's no need to run screaming to the exits, but a quick and orderly transition has been appropriate for some time. The time to move to something else is ending soon. I don't recommend SHA-1 for new signatures, but if you have a choice between sending a SHA-1 message which your recipient can verify or a SHA-256 message which your recipient can't, well -- that math's pretty easy to do. SHA-1 isn't a good choice for new signatures, but it's a lot better than no signature. I don't generate signatures with algorithms I consider insecure because that leads to people being able to forge signatures in my name. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. I'm not going to cater to people using really old versions, especially when security is involved. The good news is that no one's asking you to. You're only being advised, don't use --digest-algo SHA256, it's unwise and can break interoperability. Use --personal-digest-preferences SHA256 instead. This is the same advice that has been given by the GnuPG developers, by the Enigmail team, and by many other people within the community. It's a best-practices thing for GnuPG. The question is, will GnuPG fall back to SHA-1 if it's not in my digest preferences? I'd much rather fail to generate a signature than generate one using an algorithm which is very weak. [0] http://eprint.iacr.org/2011/641 -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/10/2012 7:59 PM, brian m. carlson wrote: SHA-1 is considered cryptographically broken. It does not provide the level of security it claims. Yes. This is not the same as being *insecure*, though, which is what was claimed. Moving from cryptographically broken to insecure/dead is about as large a step as going from nothing to cryptographically broken. MD5 was cryptographically broken in 1996. We didn't see major practical results against it until 2005 or so, and NIST didn't declare it to be dead and should no longer be used until 2010. There's some serious lag time there. SHA-1 will likely not have as long of a lag time, but let's not go about pretending there is no lag time or that the lag time has already elapsed. There tends to be a lot of scaremongering in the world of crypto. I think it's generally wise to be careful in our declarations. It is enough to say SHA-1 is known to not meet its design specifications and that some fairly devastating attacks against it will likely be coming along in the near future. That's already a good enough reason to reduce our usage of and dependency upon SHA-1. There's no need to fearmonger about how the algorithm has already collapsed, because it hasn't. Practically, collisions can be generated for 75 of the 80 rounds[0]. Right now, only random collisions can be generated. That's not any use in forging a signature, which requires a preimage collision. A cryptographic break is not the same as a practical exploit. I don't generate signatures with algorithms I consider insecure because that leads to people being able to forge signatures in my name. Then you need to stop using OpenPGP altogether, because you're already generating SHA-1 signatures with your certificate which can be lifted and dropped onto new messages if/when a preimage attack is introduced against SHA-1. Let me make this really clear: if you believe SHA-1 is insecure, you believe OpenPGP is insecure and you should stop using it. SHA-1 is hardwired into the OpenPGP spec in a few different places and, as of right now, cannot really be removed. The new V5 key format will almost certainly change this, but V5 won't be coming out for a good long while yet. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. You've *already done this*. If you truly believe this, stop using OpenPGP. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/10/2012 8:15 PM, Robert J. Hansen wrote: Then you need to stop using OpenPGP altogether, because you're already generating SHA-1 signatures with your certificate which can be lifted and dropped onto new messages if/when a preimage attack is introduced against SHA-1. After re-reading this, I need to back off from this paragraph a bit. I apologize -- I've been up for almost 24 hours now and my thinking is a bit hazy. I know SHA-1 is hardwired into the spec, but without going to the spec and reading it closely I'm not 100% certain that SHA-1 *signatures* are hardwired into the spec, and frankly I'm too tired to do a detailed read of RFC4880 right now. My apologies. The general point remains, though, that if you believe SHA-1 is insecure then you need to stop using OpenPGP. A preimage collision against SHA-1 breaks OpenPGP into a lot of tiny little pieces. Little kids might still find those pieces useful for gluing to paper plates and giving to their parents to hang on refrigerators, but for the rest of us we're unlikely to have any further uses. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The general point remains, though, that if you believe SHA-1 is insecure then you need to stop using OpenPGP. Well, Yes, and No. ;-) SHA1 is hardwired into the fingerprint of v4 keys. An open pgp consensus on a v5 key will not happen overnight. So when is it reasonable enough to suggest that SHA1 is broken enough to start working on a v5 key? vedaal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJP/QPlAAoJEFBvT6HTX7GGwUgQAI3eHOQ9eNxuuXM6yzdB9jm0 BoE8bGXu9TyVlRFqUEieVjzmHYisxlsipto5YLfxyYHNqpPIz7ZTbUrWA1pXDqNe pNZnxz6uRIW2qCof09D4jxdev7n4FzjZ0ugWY5wbb9alkJlqp59UTku+Oa+V47V6 yf4pl3CW2YSN1sB0roX4GY2K/UWa2I3cbllOIUFvBjXhWcm+b7qSmWkaY5O5yzrC zqh53KqSekcaQch+NVJibs71kTK1O5iOX9H4Oa69VCkhJXtaex6ZUSfwIrSv+vVl iJ6qH6LBYqF4hMg3QgkE/p2MEey4vOzBmOAp7CkL0IuZingFzIHu7mPIgc2wgxDz UvwK68hT7kZkRt501rELT4OwLJhIx9xth7DC/Rj1dhyGpZWZiGVgu1MRvziCIcrk di/yhTNQrcJGJCVf8oWH3tPkedaUNRBaksZNcNhbe5Gyes/rBBDPmmlmTR9AMcyG +Bl7nf3jfOM7UsVXOcyqEXDiuYpInmrbkkk2BRv8PxmvfI0Y3qW2Zk3RVNY7ZNb/ 8sSOVGD+BTmygUlYS07mwY1q3aWpBdBFTSEKa5pU/w3ZZtSPARj9+SfTLNLjeTLm UgTthE3SqHTMrJtWCsGmvGTR73PYcthQXqvJkCUTHA/mYtEOTkG7eKfiXyJytMz8 QeUvM1NtSkDT6ypGGmRn =+ApG -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/11/2012 12:41 AM, vedaal wrote: SHA1 is hardwired into the fingerprint of v4 keys. As soon as a V5 key spec is released, I'll revise my statement. Until then, OpenPGP has an unfortunate dependency on hashes that do not have good long-term prospects. :) So when is it reasonable enough to suggest that SHA1 is broken enough to start working on a v5 key? V5 discussions will not kick off in earnest until NIST announces the new hash standard, or so I've heard people from the working group say. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
why is SHA1 used? How do I get SHA256 to be used?
Here's the result of ShowPRef for my key: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA256, SHA1, SHA384, SHA512, SHA224 Compression: ZLIB, BZIP2, ZIP, Uncompressed SHA1 is showing up second. So when I sign a message, why isn't SHA256 used? The headers on my emails appear to show SHA1 as the hash being used. I no longer consider SHA1 secure. Neither does the U.S. Government. So I don't want it to be the default hash being used. How do I get SHA256 to be the default hash used when I sign emails and encrypt them? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
Am Mo 09.07.2012, 17:45:37 schrieb Sam Smith: Here's the result of ShowPRef for my key: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA256, SHA1, SHA384, SHA512, SHA224 Compression: ZLIB, BZIP2, ZIP, Uncompressed SHA1 is showing up second. So when I sign a message, why isn't SHA256 used? Your key tells others what to do. For what you do yourself (when I sign a message) you have to edit the config file. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
Hello Sam ! Sam Smith smick...@hotmail.com wrote: Here's the result of ShowPRef for my key: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA256, SHA1, SHA384, SHA512, SHA224 Compression: ZLIB, BZIP2, ZIP, Uncompressed SHA1 is showing up second. So when I sign a message, why isn't SHA256 used? The headers on my emails appear to show SHA1 as the hash being used. I no longer consider SHA1 secure. Neither does the U.S. Government. So I don't want it to be the default hash being used. How do I get SHA256 to be the default hash used when I sign emails and encrypt them? I think that by default, --gnupg is in use; --gnupg means --openpgp This means strict OpenPGP behaviour: MD5, SHA1, RIPEMD160 Try using --digest-algo SHA256 in the command line or GPG.CONF; may be you'll need to suppress --personal-digest-preferences from GPG.CONF (I don't know). -- Laurent Jumet KeyID: 0xCFAF704C ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 07/09/2012 06:18 PM, Laurent Jumet wrote: I think that by default, --gnupg is in use; --gnupg means --openpgp This means strict OpenPGP behaviour: MD5, SHA1, RIPEMD160 Nope. Try using --digest-algo SHA256 in the command line or GPG.CONF; may be you'll need to suppress --personal-digest-preferences from GPG.CONF (I don't know). I feel like I've said this several times in the past few months. Let me say it one more time, loudly: DON'T USE --cipher-algo OR --digest-algo UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING AND WHY. IT'S EASY TO CREATE MESSAGES YOUR RECIPIENT CANNOT READ. USE THE --personal-X-preferences INSTEAD. I feel like I ought apologize for shouting, but really, this has been said so many times in the last couple of months that I'm getting really frustrated with correcting the oh, just use --X-algo! misadvice that gets handed out so often. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 7/9/2012 7:12 PM, Robert J. Hansen wrote: DON'T USE --cipher-algo OR --digest-algo UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING AND WHY. IT'S EASY TO CREATE MESSAGES YOUR RECIPIENT CANNOT READ. which open-pgp implementation can't read/verify SHA-256 (btw, am trying out thunderbird with enigmail, and a new gmail account, to try to not 'break threads' please let me know if it still breaks, thanks, vedaal my keys: http://www.angelfire.com/pr/pgpf/mykeys.html (have not yet added the new gmail uid and uploaded to keyservers) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJP+42lAAoJEFBvT6HTX7GG1asP/R2dpIJTBdOVkvgZVpF5Lhqp PcK6+nou2H9MYwbv99R9VGzVqvJqm+vURAe7vbHaYJGjzi8CEitoHTotPh3FNxfG DHbXkKhH8zW3k2ubxwOPyf1eeIaYJXX+GJHK6AFGGkU4iqmKW9481kUBoJmNg67H SQbZAi9d5ZnqLl7/oBviRp6crT6EIw5F5Lb4yMlR0EDikuWyLa6kS1zbOIMwEco0 8lipwtoTf5vP+hwdGIWb0xo5tdNLD5iNn1KTHN0kCsLCUc3ybNfqtlV/mDBg3yrv xTSMKdMKkoBzey9Vn0nfIZa3QwJ+u6NWSwNTwAaWc/IdWsn3JpbdbTruLYvEJo+X cgqzqjP8t4Wpcz7GnPqWjsAEOfqH4J2ocfd8DLzasxW8l6rinN3tnj7bnd6g+XhY KzxeFNaHEMUIKlOpaYAPxKdu6GLvRom2QR8VDHhlwUhxTphVtgUmCNDuAWfyRh2l WfWzvZ0xjDI8r6wMdR75Ud4pDVMs7jIE8ncX3a8BI018nRamTCyqwPvvpa1BrbCF JrH+0yf3/4nCUW4dgarzdPkgTJzRRKsJ348Uy9mEjRtyM4sDBloETcQsn0KDx68n CV0cXUxANTuQZhrNzJyiTrJU9UR+ueaBdOIMIDrnivoYsp1qT5K/mYcvbyzqyIC9 0Bz4N71sL9FBePE8jEi8 =zLDr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/9/2012 10:04 PM, vedaal wrote: which open-pgp implementation can't read/verify SHA-256 PGP 8.0 or before. SHA-256 was introduced in 8.1, if I recall correctly. There are still a *lot* of people using 6.5.8. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
