Re: [Evolution] changing used hash-method in gnupg

["Patrick O'Callaghan" <poc usb ve>]

On Tue, 2007-10-23 at 07:22 +0200, Milan Crha wrote:
>       Hi,
> they hacked MD5, not SHA1, about 2 years ago, and it's "only" for
> messages of size >= 1024 B. One Czech cryptographic guy made a program
> to create collision in about 8 seconds on a regular notebook. :)

Flaws started being found in MD5 over 10 years ago and came to a head in
2004 when collisions were found by Chinese researchers. A practical
attack on X.509 certificates was demonstrated by Lenstra et al. in 2005.
See http://en.wikipedia.org/wiki/Md5

> SHA1 still persists, as far as I know.

In every practical sense yes, however see
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

Basically, a flaw exists in SHA-1 (it's not collision-free) but
currently there's no reasonable way to exploit it. However at some point
it would be good to start moving away from SHA-1 in general
applications, given the experience of MD5.

For email however, even a weak hash function is not necessarily the end
of the world. Evo uses GPG hashes for digital signatures (you encrypt
the hash with your secret key) so an attacker would need to decrypt the
hash (easy), find a different message that produces the same hash, and
then try to pass off the false message as true. The exploits found so
far for hash functions don't do this. They consist in generating two
random bitstrings that have the same hash. This is what "the Czech guy"
did, i.e. his attack allows Alice to create two messages and claim she
sent message B to Bob when in fact she sent message A (if this ever came
before a judge, Bob would simply produce message A and show it has the
same hash as message B, meaning Alice must have generated both of them).

As the main use of signatures in email is to detect forgery by a third
party (e.g. spam), and so far no-one can produce a "reasonable" message
that collides with another given message, I think we're OK for now :-)

poc