Discussion forum for PGP and GnuPG users, especially friendly for beginners :-)

Robert J. Hansen | 1 May 2009 03:22

New attacks on SHA-1


Some researchers are claiming they've been able to make the Shengdong
University attack on SHA-1 a factor of about 2000 times easier.  If
their research is correct, that means SHA-1 is now attackable by regular
people.

These results are not unexpected.  We knew this day would come.  For the
last couple of years most crypto nerds have been strongly recommending
people either migrate away from SHA-1 immediately, or at the very least
have a migration plan put together.

If you have already migrated -- then you may ignore this development.

If you have not -- then it is increasingly urgent you do so.

Original URL:

http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf

David Shaw | 1 May 2009 06:00

Re: New attacks on SHA-1

On Apr 30, 2009, at 9:22 PM, Robert J. Hansen wrote:
> Some researchers are claiming they've been able to make the Shengdong
> University attack on SHA-1 a factor of about 2000 times easier. If
> their research is correct, that means SHA-1 is now attackable by  
> regular
> people.
>
> These results are not unexpected. We knew this day would come. For the
> last couple of years most crypto nerds have been strongly recommending
> people either migrate away from SHA-1 immediately, or at the very  
> least
> have a migration plan put together.
>
> If you have already migrated -- then you may ignore this development.
>
> If you have not -- then it is increasingly urgent you do so.
>
Indeed.  Even before this new potential attack, the expected useful  
lifespan of the SHA-1 algorithm was scheduled to run out at the end of  
2010 (as per NIST SP800-57).  If you're still in the theater, it's  
really time to proceed (in a dignified and organized manner) to the  
exits.

For amusement, the other algorithms that "expire" at the end of 2010  
include RIPEMD/160, 1024-bit RSA, and 1024-bit DSA.  I don't think  
there are many 1024-bit RSA keys still out there, but there is an  
awful lot of 1024-bit DSA as it is the default key type in GPG.

David

(Continue reading)

Joseph N. | 1 May 2009 17:29

Re:New attacks on SHA-1

> For the last couple of years most crypto nerds have been strongly
> recommending people either migrate away from SHA-1 immediately, or at
> the very least have a migration plan put together.

Would an appropriate migration plan be to create/upload new keys and to 
revoke all older ones that were based on the deprecated hashes?

-- 
JN

------------------------------------

______________________________________________________________
Archives:                  http://groups.yahoo.com/group/PGP-Basics/messages
OT List:                         http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:                 mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Gossamer Spider Web of Trust                           https://www.gswot.orgYahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/PGP-Basics/join
    (Yahoo! ID required)

<*> To change settings via email:

(Continue reading)

Robert J. Hansen | 1 May 2009 17:58

Re: New attacks on SHA-1

Joseph N. wrote:
> Would an appropriate migration plan be to create/upload new keys and to 
> revoke all older ones that were based on the deprecated hashes?

There is nothing intrinsically wrong with what you're talking about.  If
you do it right, it can also be good practice.

If you have a checklist for what to do when you revoke a key, try
following it and see how well it works.  If you don't, now's a great
time to make one.  Once you have your checklist written up, you can use
it the next time you need to revoke a key.

It's human nature to screw things up -- but coming up with a plan,
following the plan and then improving the plan... that's just good
engineering.  :)

------------------------------------

______________________________________________________________
Archives:                  http://groups.yahoo.com/group/PGP-Basics/messages
OT List:                         http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:                 mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Gossamer Spider Web of Trust                           https://www.gswot.orgYahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
    Individual Email | Traditional

(Continue reading)

Joseph N. | 2 May 2009 21:11

Re: New attacks on SHA-1

>> Would an appropriate migration plan be to create/upload new keys
>> and to revoke all older ones that were based on the deprecated
>> hashes?
> 
> There is nothing intrinsically wrong with what you're talking about.
> If you do it right, it can also be good practice.

I've done it before, so I think I'm good with it, but a new issue came 
to mind:

I've never gone down the sign-one-key-with-another route.  Would this be 
a good situation to do that in order to engender trust, or--cuz I don't 
totally understand what "signing" means--would that action somehow 
weaken the new key?

--

-- 
JN

------------------------------------

______________________________________________________________
Archives:                  http://groups.yahoo.com/group/PGP-Basics/messages
OT List:                         http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:                 mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Gossamer Spider Web of Trust                           https://www.gswot.orgYahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/PGP-Basics/

(Continue reading)

Marc J. Miller | 2 May 2009 23:31

Picon

RE: New attacks on SHA-1

A signature means "I believe this key (and/or email address) belongs to the person named."

The more signatures a key has, the more you can trust it.  So signing a completely new key with the old key adds
some assurance because there is a lot of trust in your old key, but it's still just one signature so it
doesn't inherit all of that trust.  Consider that each sig is still prone to human error.

For this situation, I suggest you generate a new subkey rather than a completely new key.  Anyone else care to
weigh in?  

-----Original Message-----
From: Joseph N. <jbn10161 <at> fastmail.fm>
Sent: Saturday, May 02, 2009 12:11 PM
To: PGP-Basics <at> yahoogroups.com
Subject: Re: New attacks on SHA-1

>> Would an appropriate migration plan be to create/upload new keys
>> and to revoke all older ones that were based on the deprecated
>> hashes?
> 
> There is nothing intrinsically wrong with what you're talking about.
> If you do it right, it can also be good practice.

I've done it before, so I think I'm good with it, but a new issue came 
to mind:

I've never gone down the sign-one-key-with-another route.  Would this be 
a good situation to do that in order to engender trust, or--cuz I don't 
totally understand what "signing" means--would that action somehow 
weaken the new key?

(Continue reading)

Joseph N. | 2 May 2009 23:52

Re:New attacks on SHA-1

Does the significance of this issue affect only encryption keys, or also 
signature keys?  While it seems likely to me that it would have to 
affect signature keys, although obviously with different effects, my 
real issue relates to the remedy.  GnuPG, at least when operated through 
GPGshell, allows DSA signing keys only up to 1024.  Am I missing 
something?  Or should I just worry about the encryption key?

-- 
JN

------------------------------------

______________________________________________________________
Archives:                  http://groups.yahoo.com/group/PGP-Basics/messages
OT List:                         http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:                 mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Gossamer Spider Web of Trust                           https://www.gswot.orgYahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/PGP-Basics/join
    (Yahoo! ID required)

<*> To change settings via email:

(Continue reading)

Robert J. Hansen | 2 May 2009 23:59

Re: New attacks on SHA-1

Joseph N. wrote:
> Does the significance of this issue affect only encryption keys, or
> also signature keys?

It affects signature keys far moreso than encryption keys.

> GnuPG, at least when operated through GPGshell, allows DSA signing
> keys only up to 1024.

Add "enable-dsa2" to your gpg.conf file and try again.

------------------------------------

______________________________________________________________
Archives:                  http://groups.yahoo.com/group/PGP-Basics/messages
OT List:                         http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:                 mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Gossamer Spider Web of Trust                           https://www.gswot.orgYahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/PGP-Basics/join
    (Yahoo! ID required)

(Continue reading)

Robert J. Hansen | 3 May 2009 00:44

Re: New attacks on SHA-1

Marc J. Miller wrote:
> The more signatures a key has, the more you can trust it.

This is dangerously wrong.  Very dangerously wrong.

If I give you a key with 5,000 signatures, none of which are from keys
you know and have verified, really, how valid is it?

If I give you a key with 5,000 signatures, one of which is from a key
you know and have verified and whose owner you trust, how valid is it?

If I give you a key with 5,000 signatures, all of which come from keys
you know and have verified and whose owners you trust, how valid is it?

The answers are "not at all," "completely," and "completely."

The number of signatures doesn't matter.  The presence of just one
correct signature from a validated key belonging to a trusted user...
that matters quite a lot.

> For this situation, I suggest you generate a new subkey rather than a
> completely new key.  Anyone else care to weigh in?

Let me see if I've got this straight.  You are counseling that:

* SHA-1 is dangerously weak.
* If your primary signing key uses SHA-1, you should generate a new
  signing subkey using a better algorithm.
* Don't revoke your keypair.

(Continue reading)

Marc J. Miller | 3 May 2009 01:56

Picon

RE: Re:New attacks on SHA-1

In GnuPG they're the same key.  When you sign a message without encrypting it you provide a hash that is used to
verify the message.  The signature can only be created by your private key (which only you have) and can be
verified using your public key (which can be viewed by everyone).  When you encrypt, you use the
recipient's public key to hide the contents of the message, but only the recipient's private key can
decode it.

However signing a key is different from signing an email.  Signing a key is a way to leave a mark on someone's
key that "I trust this key."  Signing a message is used to verify that it hasn't been modified.  Completely
different concept.

-----Original Message-----
From: Joseph N. <jbn10161 <at> fastmail.fm>
Sent: Saturday, May 02, 2009 2:52 PM
To: PGP-Basics <at> yahoogroups.com
Subject: Re:New attacks on SHA-1

Does the significance of this issue affect only encryption keys, or also 
signature keys?  While it seems likely to me that it would have to 
affect signature keys, although obviously with different effects, my 
real issue relates to the remedy.  GnuPG, at least when operated through 
GPGshell, allows DSA signing keys only up to 1024.  Am I missing 
something?  Or should I just worry about the encryption key?

--

-- 
JN

------------------------------------

______________________________________________________________
Archives:                  http://groups.yahoo.com/group/PGP-Basics/messages

(Continue reading)

Group

gmane.comp.security.pgp-basics.

Project Web Page

Discussion forum for PGP and GnuPG users, especially friendly for beginners :-)

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10

Articles in period: 95

May 2009

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

encryption practice (1 May 2013)
Digest Number 3268 (25 Apr 2013)
test signature (23 Apr 2013)
Newbie (22 Apr 2013)
Option of Send Public Key Does Not Appear (22 Mar 2013)
PGP Public key trust confusion (3 Jan 2013)
Decrypt failed! (No secret key) Code = 17 (31 Dec 2012)
REVOKING PUBLIC KEY CONSTANTS IN BOUNCY CASTLE API (27 Dec 2012)
Revoke PGP public key using bouncy castle API. (26 Dec 2012)
PGP Digital signature confusion (26 Dec 2012)
PGP Web of trust concept (24 Dec 2012)
Setting up Enigmail (17 Dec 2012)
Here is a sample PGP email for you (25 Nov 2012)
pgp test email please (24 Nov 2012)
noobie enigmail user needs penpal (20 Nov 2012)
PGP encryption on my Mac (24 Oct 2012)
STELLAR WIND: ...seems to imply PGP and variants are useless (in re t (24 Aug 2012)
PGP Install Problems (19 Aug 2012)
True hardware random number generators (16 Aug 2012)
replying with Enigmail for Thunderbird (9 Aug 2012)
Encrypted eMail for a non-techie (25 Jul 2012)

Archives

1	May 2013
23	April 2013
6	March 2013
7	January 2013
11	December 2012
21	November 2012
6	October 2012
8	August 2012
18	July 2012
9	June 2012
46	May 2012
8	April 2012
57	March 2012
10	February 2012
4	January 2012
50	December 2011
16	November 2011
7	October 2011
8	September 2011
24	August 2011
13	July 2011
24	June 2011
3	April 2011
8	March 2011
9	February 2011
67	January 2011
39	December 2010
14	November 2010
16	October 2010
89	September 2010
13	August 2010
178	July 2010
40	June 2010
32	May 2010
11	April 2010
22	March 2010
50	February 2010
29	January 2010
10	November 2009
3	October 2009
26	September 2009
63	August 2009
28	July 2009
25	June 2009
95	May 2009
76	April 2009
46	March 2009
12	February 2009
58	January 2009
46	December 2008
33	November 2008
37	October 2008
128	September 2008
360	August 2008
131	July 2008
112	June 2008
74	May 2008
34	April 2008
86	March 2008
74	February 2008
73	January 2008
18	December 2007
22	November 2007
48	October 2007
24	September 2007
27	August 2007
88	July 2007
20	June 2007
29	May 2007
49	April 2007
104	March 2007
97	February 2007
49	January 2007
116	December 2006
70	November 2006
159	October 2006
10	September 2006
75	August 2006
89	July 2006
109	June 2006
155	May 2006
209	April 2006
120	March 2006
143	February 2006
194	January 2006
193	December 2005
64	November 2005
59	October 2005
185	September 2005
262	August 2005
209	July 2005
128	June 2005
208	May 2005
91	April 2005
327	March 2005
260	February 2005
108	January 2005
205	December 2004
83	November 2004
139	October 2004
139	September 2004

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template