PGP Moving To Stronger SHA Algorithms

← Back to Stories (view on slashdot.org)

PGP Moving To Stronger SHA Algorithms

Posted by timothy on Sunday February 20, 2005 @09:01AM from the 511-upmanship dept.

PGP Corp. is moving to a stronger SHA Algorithm (SHA-256 and SHA-512) as consequence of the research conducted by the team at Shandong University in China who broke the SHA-1 algorithm. (See this earlier story for more information on the SHA-1 vulnerability.)

5 of 247 comments (clear)

Min score:

Reason:

Sort:

Re:Come on... by abelsson · 2005-02-20 09:16 · Score: 3, Interesting

No, they did indeed break it. An attack is now practical for a well funded adversary, where it wasn't before - practical attacks being known is the very definition of when a cryptographic algorithm is considered broken.
SHA-1 break illustrated.. by __aaijsn7246 · 2005-02-20 09:17 · Score: 5, Interesting

http://lists.gnupg.org/pipermail/gnupg-users/2005- February/024862.html

Atom Smasher atom at smasher.org
Wed Feb 16 21:56:25 CET 2005

Hash: SHA256

this should help put the (alleged until proven otherwise) SHA-1 break into
perspective. thanks to Sascha Kiefer for giving me the idea.

let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
break allows a collision to be found in merely 2^69 operations (on
average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
that's broken!!

OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
it's broken enough to find a collision in 2^69 operations (on average), is
still stronger than MD5 was ever meant to be.

again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
intended to be incredibly stronger than MD5.

- -- ...atom
Re:Not a solution by Mr2cents · 2005-02-20 09:20 · Score: 4, Interesting

Why not sign using two hashes? You'll need to find a chunk of data that generates two collisions with two different hashing algorithms. Let'em chew on that one!

--
"It's too bad that stupidity isn't painful." - Anton LaVey
Re:Come on... by abelsson · 2005-02-20 09:49 · Score: 4, Interesting

Bruce Schneier estimates that a SHA-1 collision finding machine, built along the same lines as the old DES cracker would cost $25M-$38M and could do the needed 2^69 calculations in 56 hours. distributed.net has already completed a 2^64 operation challenge a few years ago, which along with Moores law puts 2^69 ops into the realm of the possible.

Fighting the FUD, indeed.
GnuPG has this already by Gemini · 2005-02-20 13:44 · Score: 3, Interesting

To forestall the obvious question about GnuPG compatibility, GnuPG has had SHA-256, SHA-384, and SHA-512 since version 1.2.2 (2003-05-01) so it will interoperate nicely with the new PGP.

Incidentally, despite what the article implies, PGP has actually had SHA-256 support for a while now. It's not exposed in the GUI, but if you use GnuPG to generate a SHA-256 message, PGP can handle it.

In terms of what the SHA-1 "break" means, it is certainly time to start migrating to something stronger, but it is not time to panic and start revoking keys. Think of this as the MD5 situation in the late 1990s: a flaw was found, people migrated away, and when the serious MD5 crack was found last year, most people had already stopped using it.

The sky isn't falling. It's just a wake up call to start moving to something better.