Preparing To Migrate Off of SHA-1 In OpenPGP

jamie found a note on debian-administration.org, the first in a promised series on migrating off of SHA-1 in OpenPGP. "Last week at eurocrypt, a small group of researchers announced a fairly serious attack against the SHA-1 digest algorithm, which is used in many cryptosystems, including OpenPGP. The general consensus is that we should be 'moving in an orderly fashion toward the theater exits,' deprecating SHA-1 where possible with an eye toward abandoning it soon (one point of reference: US govt. federal agencies have been directed to cease all reliance on SHA-1 by the end of 2010, and this directive was issued before the latest results). ... So what can you do to help facilitate the move away from SHA-1? I'll outline three steps that current gpg users can do today, and then I'll walk through how to do each one..."

He's Got a Knife!

[eldavojohn]

'moving in an orderly fashion toward the theater exits'

An elderly application was trampled to death today as everyone struggled to exit the Sha One theater after someone screamed that an unknown assailant had a knife. After the panic, there was no evidence of injuries from the alleged attack and police are still investigating the presence of an actual weapon.

Re:First MD5 and now this

[piripiri]

Is there any hash function that actually is secure?

Of course the good ol' rot13 !

In theory, no

[3.5+stripes]

In reality, given the time and effort, processing power, etc... yeah, there are some secure ones.

They're like locks, they make getting in hard enough that most people will look for an easier target.

Re:In theory, no

[AvitarX]

Considering the time for even a modestly skilled person to get into most locks is < 5 minutes (home locks anyway), I would say that it is not perfect.

High-security locks take longer, as does high-security encryption. We only need to use algorithms that have a MTBF of around 1000 years today, and baring quantum breakthroughs your pretty safe. I mean how long does even the most sensitive data need to remain protected? 30 years?

I guess if you are a high-profile politician/activist, or a murderer a little longer?

Re:In theory, no

[coolsnowmen]

I mean how long does even the most sensitive data need to remain protected? 30 years?

Whatever the copyright length is...so about forever.

Re:In theory, no

[rlseaman]

A filing cabinet with 50 year old government secrets might need to be as physically secure now as it was 50 years ago. Where as my expired and canceled credit card numbers, not so much.

Yes, but the value of physical security is cumulative. If you manage to protect government secrets for 50 years - even if this involves a $2 padlock and a footlocker - the security can be upgraded at any point to a higher level suitable for current threats. Cyber security on the other hand is only as good as its weakest expression over those 50 years. Expose a rot13 copy of a file even one time and it doesn't matter if you later re-encrypt the file using the NSA's latest and greatest algorithm.

Re:First MD5 and now this

Perfect security is not feasible. "Secure enough" changes over time.

SHA2 Family still secure

[marcosdumay]

From TFA, so others don't have to read it, GPG will stay with SHA 224, SHA 256, SHA 384 and SHA 512.

Re:SHA2 Family still secure

If I understand the attack correctly, I think most real-world SHA-1 usage should be secure for the time being. From the looks of it, the researchers were able to reduce the time necessary to find two inputs that hash to the same digest. This is very different from finding a second input that hashes to a known digest. If that were the case, common hash applications like storing the digest of passwords or a digital signatures would be vulnerable.

But until researchers can take a known digest value and find an alternate set of input data, most real-world applications should be okay. News like this should make people start to look at when they can conveniently migrate away from SHA-1, but it's not something that requires immediate attention.

Re:First MD5 and now this

[eldavojohn]

Is there any hash function that actually is secure?

Of course the good ol' rot13 !

Not secure enough, better apply it twice for double protection.

You can tell the men from the boys by how many times they do things. Like when I restart my computer, I do it three times to make sure it will work when the things start back up inside it.

Re:First MD5 and now this

[swillden]

Is there any hash function that actually is secure?

There are some for which no known attacks exist. SHA-256 and SHA-512, Whirlpool and Tiger are all pretty thoroughly-reviewed with no weaknesses uncovered. The NIST hash function competition is causing a great deal of new hash function research and we'll almost certainly get a bunch of great new hash functions out of it -- many of them not only secure, but significantly faster than SHA-1.

If you're thinking that "no known attacks" isn't good enough, keep in mind that's as good as it every gets in cryptography, with the sole exception of the One Time Pad

Re:First MD5 and now this

[Amouth]

by definishion a hash function can't be safe you are taking something that is of unknown size and giving a specific lenght result which will always be the same for a given input.

due to the limited length of the result using inputs larger than the result you can assure at some point there will be a collision (2 diffrent inputs with the same output)

MD5 failed after enough people looked at it and someone figured out how to salt it to get collisions quite quickly.

as proccessing power increases brute force is getting easier - but when you find a way of cutting down the brute force required.. that is when something can become very weak very quickly.

Aww man, I just upgraded to SHA-1

I guess I'll just go back to good old MD5.

Re:First MD5 and now this

That is not what secure means with regard to hash functions. Secure means that it is not feasible to construct a document which has the same hash value as a given document (pre-image attack) or to construct two documents which have the same hash value (collision attack). The complexity of these attacks is ideally such that simply enumerating documents is the fastest way (brute force). Reducing the number of documents which you have to try to find a match makes a successful attack more likely. The complexity which is deemed as breaking the hash function depends on the adversaries and time frames relevant to a particular application.

Re:Reencrypting Stored Secrets?

[John+Goerzen]

SHA-1 doesn't encrypt things. It makes a hash of them, to verify they haven't been modified.

There are no secrets encrypted with SHA-1 because SHA-1 doesn't encrypt things.

Stupid question, but... multiple hashes?

[tlhIngan]

Really stupid question (not a cryptographer), but is there anything wrong with using multiple hash algorithms (hopefully none derived from one another)? Surely breaking two or more hashes simultaneously would be far harder?

E.g., MD5 is broken. But what if we use both MD5 and SHA-1?

Re:Stupid question, but... multiple hashes?

[russotto]

Really stupid question (not a cryptographer), but is there anything wrong with using multiple hash algorithms (hopefully none derived from one another)? Surely breaking two or more hashes simultaneously would be far harder?

E.g., MD5 is broken. But what if we use both MD5 and SHA-1?

Unfortunately not; once you've broken the strongest hash, the rest can be broken in polynomial time.

http://article.gmane.org/gmane.comp.encryption.general/5154

Re:Stupid question, but... multiple hashes?

[SparkleMotion88]

Surely breaking two or more hashes simultaneously would be far harder

You can't be "sure" about much in cryptography. If m is a message, and f and g are hash functions, you are assuming that you get more security from f(g(m)) than from f(m). You have to define what kind of security you are hoping for. With hash algorithms, you usually want: given m', it is difficult to find some m where h(m) = m'.

So to answer your question, using f(g(m)) would only be more secure than f(m) if f contains some vulnerability and no cryptanalytic vulnerability is introduced by combining f and g. If I don't have any information about either type of vulnerability, I would have no reason to assume that f(g(m)) is more secure than f(m). In this situation, I would stick with f(m) because it has been studied more and people have probably spent time trying to break it.

To put it another way, breaking f(g(m)) does not necessarily require breaking both f and g. The resulting algorithm that you get by composing f with g is still only one algorithm (just like SHA-1), and that is the only algorithm that needs to be broken.

Re:Stupid question, but... multiple hashes?

[YesIAmAScript]

I'm not so sure he's talking about applying one hash to the other's output, as much as performing both hashes on the same material and storing both results, also checking both results. Then you'd have to create a collision for both hashes in order to beat the system.

Re:Stupid question, but... multiple hashes?

[blueg3]

This has nothing to do with multiple hash algorithms. What you're referring to is that finding an n-way collision from a 2-way collision is polynomial time. That is, a 2-way collision is two documents with the same hash, and an n-way collision is n documents with the same hash.

Finding a pair of documents that have the same SHA1 hash doesn't help you find a pair of documents with the same MD5 hash. Indeed, none of the efficient-collision algorithms allow you to find collisions in both SHA1 and MD5 simultaneously. (Note that, as far as I know, there aren't even any efficient preimage attacks on MD5 or SHA1, only collision attacks.)

Using multiple hash algorithms is helpful, yes.

Well that's unfortunate

[Morphine007]

Guess the Aussies overpaid, since their $560k "unbreakable" cryptosystem relies on SHA-1. Shock of shocks, I know...

If so, someone please put this to good use!

[YesIAmAScript]

So many major systems are secured with PK systems that depend on SHA-1 hashes now. If this can be broken, someone please put this to good use by making a collision that makes it possible for people to write homebrew code for the PS3 or 360.

I keep hearing about all these hash collisions and how I should be scared, but I wish I could at least get the good with the bad.

better packaging for debian

[bcrowell]

So what can you do to help facilitate the move away from SHA-1?

One specific thing that would really help would be if debian would make it a priority to do a complete job of packaging the relevant hash functions, along with bindings for popular languages. For instance, I have an open-source perl app that uses digital watermarks. The user can choose between SHA1 and Whirlpool. However, I want to keep my app simple for users to install, and the perl binding for Whirlpool hasn't been packaged for debian yet, so I've made SHA1 the default. A debian user who wants to use Whirlpool with my app has to jump through hoops, e.g., installing the perl module via CPAN. That's actually a real pain for a debian or ubuntu user, because CPAN and apt don't play nicely; you can get in all kinds of screwed-up states if you try to install half your perl modules using apt and half using CPAN.

TFA is talking about gpg. Well, realistically, the choice of hash function is not the bottleneck in terms of security when it comes to sending encrypted or signed email. The bottleneck is mainly just that it's too hard to use (isn't built in to most GUI email clients), and in the case of encryption it also suffers from negative network effects -- there's no big benefit to me from using gpg encryption in my email unless the people I'm communicating also use the technology. The world's best crypto doesn't do you any good if you don't use it because it's too much of a pain. I think gpg is clearly a case where the perfect has been the enemy of the good. They've been so hung up on protecting the user against obscure vulnerabilities that they've ended up making the darn thing too hard for the vast majority of users. The docs, last time I checked, were basically written in Martian. I have a bachelor's degree in math, I program computers as a hobby, and I've read Schneier's Applied Cryptography. I'm not claiming that makes me a big expert on crypto, but it does put me out in front of the vast majority of the population. Well, I simply cannot figure out all the ins and outs of gpg. Okay, I could, but it would take more time than I'm willing to invest.

Re:better packaging for debian

One specific thing that would really help would be if debian would make it a priority to do a complete job of packaging the relevant hash functions, along with bindings for popular languages.

However, as this is Debian they are more likely to "disable" SHA-1 by making it emit the plaintext.

Re:First MD5 and now this

[Kjella]

If you're thinking that "no known attacks" isn't good enough, keep in mind that's as good as it every gets in cryptography

I think my math teacher would call that a "necessary but not sufficient" condition, I mean anything can be without known attacks by virtue of never having been reviewed. Minimums should include:

1. Published algorithm, no "secret sauce" security by obscurity
2. Solid peer reviews by other cryptographers, definately not just the vendor or their hirelings
3. Strong links to well-researched hard mathematical problems

Of course, nothing can guarantee that the NSA hasn't found some super-secret math thingie that'll cut through it like a knife through hot butter. But cryptography is also about eating your own dog food, if you don't use it for anything valuable who'd trust it? You can't really keep that a secret because you have to tell lots of people that this isn't really secure or they'd use it as if it were. And if you do use it for your valuables, would you really leave that kind of backdoor for someone else to find? Again it doesn't prove anything, but I think most modern crypto algorithms have no weaknesses known to anybody, and if one showed up it'd be just as big a OMG for those who made/approved it as everyone else.

What about SSL certificates?

[200_success]

According to x509(1) and ca(1), OpenSSL supports md2, md5, sha1, and mdc2 as options for message digests for certificates. Since MD2 and MD5 are already broken, and SHA1 is now suspect, that leaves just the relatively obscure MDC-2.

Re:What about SSL certificates?

[Cruicky]

The OpenSSL package in Ubuntu supports SHA224, SHA256, SHA384, and SHA512, even though it's not actually shown in the help, with the command line options being -sha224, -sha256, -sha384 and -sha512.

I've been happily using SHA512 with a personal CA for the last year.

It's possible that other distributions have also compiled in support for these hash functions in their OpenSSL packages.

Re:2^52

[iluvcapra]

Avoid bignums whenever possible

(2^57)/(2^52) = 2^(57-52) = 2^5 = 32 times speedup

Powers of 2 sneak up on you! :)

Re:2^52

you must be REALLY stupid

typical ignorant american response.

europeans, particularly the french, tend to use the , for what we use the . for and vice-versa.

so in american, this:

2^57 = 144.115.188.075.855.872

2^52 = 4.503.599.627.370.496

2^52 / 2^57 = 0,03125 = 3,125%

becomes this:

2^57 = 144,115,188,075,855,872

2^52 = 4,503,599,627,370,496

2^52 / 2^57 = 0.03125 = 3.125%

which look like much more reasonable numbers.

Re:In a related news...

[Just+Some+Guy]

...I am moving "off of" this grammar-school newsletter piece.

See also: idioms. No one where I live, ditch digger or professional, would raise an eyebrow at that phrase. Might I suggest you find larger grammatical fish to fry, or perhaps resolve not to get worked up over regional slang?

Can someone give me a quick rundown?

[swordgeek]

It's been a while since I had to deal with PGP keys and the like, and things have multiplied since then. Is there a simple explanation for the status/compatability/equivalency of...

pgp
openpgp
gpg
gnupg

And any others I'm missing?

Re:Can someone give me a quick rundown?

[molo]

Did no one really reply to this?

PGP is the original. Phil Zimmerman, export control, all the history.

OpenPGP is a specification for all input and output of a PGP system. RFC 4880. Diverges from PGP5.

GPG == GNUPG. A Free Software implementation of OpenPGP. Has now become the most commonly used OpenPGP implementation. Werner Koch is the project lead.

-molo

Re:2^52

[Joce640k]

It's a collision attack, that means you can make two files with the same SHA1 in 2^52 operations (via the birthday paradox).

In the best possible application of this attack you can make two files, one good, one incriminating and get somebody to sign the good one.

The two changeling files are generated via a randomizing process so generating meaningful text files really isn't possible, the files have to contain binary data with a 'random' appearance. Examples of this would be crypto keys, SSL certificates, stuff like that.

Anybody who makes his own files and signs them is immune to this attack. The SHA1 of your favorite Linux distro is as safe as ever.

So ... this attack isn't very useful in the real world but it does show that SHA1 is slowly being deconstructed, that relationships are being found between input bits and output bits.

Re:First MD5 and now this

[swillden]

If you're thinking that "no known attacks" isn't good enough, keep in mind that's as good as it every gets in cryptography

I think my math teacher would call that a "necessary but not sufficient" condition, I mean anything can be without known attacks by virtue of never having been reviewed. Minimums should include:

1. Published algorithm, no "secret sauce" security by obscurity 2. Solid peer reviews by other cryptographers, definitely not just the vendor or their hirelings 3. Strong links to well-researched hard mathematical problems

Absolutely correct, with the partial exception of #3. It would be nice, perhaps, if #3 applied, but most symmetric ciphers and secure hash algorithms rely on complexity rather than hard problems.

Re:2^52

Fuck yourself, eurotrash faggot piss-ant.

actually i'm an ameritrash piss-ant.

who happens to be aware of the fact that the world does not revolve around america.

and that there is more than one way of communicating.