oss-sec mailing list archives
cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1]
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 13 Nov 2013 11:54:17 -0500
On 11/13/2013 10:57 AM, Tim wrote:
Using a weak encyption algorithm alone isn't a sufficient condition to issue a CVE against software, since often the context of the usage matters a lot. If you use MD5 or SHA-1 for password hashing (with lots of salt and rounds), then there's no vulnerability. If you use them for HMACs, then there's also likely no problem. But if you use them for a signature with a public key, there is.
I'm inclined to try to apply your suggested guidelines to GnuPG:
gnupg uses SHA-1 as its default digest algorithm when making public key
signatures, both for cleartext "data signatures" and "certifications"
(OpenPGP keysigning).
Suggestions in the past to change the default digest algorithm to
SHA-256 have been resisted for the sake of interoperability, despite
every OpenPGP implementation in wide use having been capable of SHA-256
for many years.
Are you saying we should assign a CVE for the fact that GnuPG generates
data signatures over SHA-1 by default? What about its generation of
certifications over SHA-1 by default?
What about for the fact that GnuPG validates and accepts OpenPGP
certificates made via SHA-1 (note that this is a different question from
whether generating them warrants a CVE)?
GnuPG also currently accepts and validates certifications and data
signatures made with MD5. (it prints a warning, but it still treats the
certifications as acceptable when computing certificate validity, for
example). Should we assign a CVE for this as well?
As a reference point, the recent ENISA recommendations [0] recommend
digests of 160 bits (SHA-1) for "legacy" applications, 256 bits
(SHA-256) for "near-term future" (at least 10 years) applications and
512 bits (SHA-512) for "long-term future" (30 to 50 years, which they
acknowledge is difficult to predict).
I've been encouraging gnupg to move to stronger default cryptographic
primitives for years. i would appreciate any guidance the community
wants to give about how seriously to take these configuration choices.
--dkg
[0]
http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Microsoft Warns Customers Away From RC4 and SHA-1 Kurt Seifried (Nov 12)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Tim (Nov 13)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Eric H. Christensen (Nov 13)
- cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Daniel Kahn Gillmor (Nov 13)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Tim (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Chris Palmer (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Chris Palmer (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Marcus Meissner (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Tim (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Seth Arnold (Nov 15)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Tim (Nov 13)