

Debian moving away from SHA-1 - r11t
http://www.debian-administration.org/users/dkg/weblog/48

======
dfranke
PGP is not in especially much danger due to the new results against SHA-1. The
new attack is a birthday attack, not a preimage attack. PGP uses SHA-1 in
several places, including some where it's "hard-wired" (i.e., parties can't
specify any alternative hash algorithm), but there's only one where a birthday
attack does any good: signing others' keys; this attack would work basically
the same way as the one that produced the rogue SSL CA using an MD5 collision.
Even here, this further requires a chosen-suffix attack, which this new
advance is not; though I would not be surprised if one were discovered in the
near future. Every other use of hash functions in PGP depends only on their
one-wayness, not on collision-resistance.

Nonetheless, in light of the new results, the IETF Working Group on OpenPGP is
likely to reconvene to produce a new version of the standard that doesn't
depend on SHA-1. They're also currently discussing my suggestion to include a
random salt at the beginning of the data that gets hashed for key signatures,
effectively rendering the integrity of these signatures immune to birthday
attacks. If this is done, and it likely will be, then PGP could probably get
away even with using MD5 everywhere (not that I'm recommending this!).

If, in the interim, a chosen-suffix attack against SHA-1 is discovered, then
signers can protect themselves by migrating their keys away from it as dkg
advises. Also, _only newly-made key signatures would be vulnerable. Key
signatures made prior to the discovery of such an attack would not be
compromised_.

------
jeroen
Maybe such moves shouldn't be started after an attack is demonstrated, but as
soon as something better arrives. Researchers who publish their findings are
not the people to fear. Those who find successful attacks and not make it
public are the dangerous ones.

~~~
r11t
Indeed. Security researchers who embrace responsible disclosures should be
thanked instead of being feared. Moves like these and the recent move towards
eglibc from glibc really make Debian pretty progressive as a community imho.

------
brl
Not sure how well thought out this decision is considering that SHA-1 has
resisted preimage attacks for almost a decade longer than the SHA-2 family
(since it is that much older).

Re-keying hundreds of developers as well as the entire Debian infrastructure
seems like a pretty extreme reaction to a problem that doesn't actually exist.

~~~
dfranke
I would be very surprised if there were a tractable preimage attack against
either algorithm in the next hundred years.

