Re: [Evolution] changing used hash-method in gnupg

On Tue, 2007-10-23 at 07:22 +0200, Milan Crha wrote:
they hacked MD5, not SHA1, about 2 years ago, and it's "only" for
messages of size >= 1024 B. One Czech cryptographic guy made a program
to create collision in about 8 seconds on a regular notebook. :)

Flaws started being found in MD5 over 10 years ago and came to a head in
2004 when collisions were found by Chinese researchers. A practical
attack on X.509 certificates was demonstrated by Lenstra et al. in 2005.

SHA1 still persists, as far as I know.

In every practical sense yes, however see

Basically, a flaw exists in SHA-1 (it's not collision-free) but
currently there's no reasonable way to exploit it. However at some point
it would be good to start moving away from SHA-1 in general
applications, given the experience of MD5.

For email however, even a weak hash function is not necessarily the end
of the world. Evo uses GPG hashes for digital signatures (you encrypt
the hash with your secret key) so an attacker would need to decrypt the
hash (easy), find a different message that produces the same hash, and
then try to pass off the false message as true. The exploits found so
far for hash functions don't do this. They consist in generating two
random bitstrings that have the same hash. This is what "the Czech guy"
did, i.e. his attack allows Alice to create two messages and claim she
sent message B to Bob when in fact she sent message A (if this ever came
before a judge, Bob would simply produce message A and show it has the
same hash as message B, meaning Alice must have generated both of them).

As the main use of signatures in email is to detect forgery by a third
party (e.g. spam), and so far no-one can produce a "reasonable" message
that collides with another given message, I think we're OK for now :-)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]