Re: A review of hash function brittleness in OpenPGP
"Daniel A. Nagy" <nagydani@epointsystem.org> Fri, 09 January 2009 00:16 UTC
Return-Path: <owner-ietf-openpgp@mail.imc.org>
X-Original-To: ietfarch-openpgp-archive@core3.amsl.com
Delivered-To: ietfarch-openpgp-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABEA828C0EB for <ietfarch-openpgp-archive@core3.amsl.com>; Thu, 8 Jan 2009 16:16:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jonqyZIwreJ7 for <ietfarch-openpgp-archive@core3.amsl.com>; Thu, 8 Jan 2009 16:16:27 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 8A9C728C0E8 for <openpgp-archive@ietf.org>; Thu, 8 Jan 2009 16:16:26 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n09047I3081015 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Jan 2009 17:04:07 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n09047KT081014; Thu, 8 Jan 2009 17:04:07 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from b.relay.invitel.net (b.relay.invitel.net [62.77.203.4]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0903trO081002 for <ietf-openpgp@imc.org>; Thu, 8 Jan 2009 17:04:06 -0700 (MST) (envelope-from nagydani@epointsystem.org)
Received: from mail.agileight.com (62-77-229-117.static.invitel.hu [62.77.229.117]) by b.relay.invitel.net (Invitel Core SMTP Transmitter) with ESMTP id 536F831A304; Fri, 9 Jan 2009 01:03:54 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by mail.agileight.com (Postfix) with ESMTP id E6B00598099; Fri, 9 Jan 2009 01:03:53 +0100 (CET)
X-Virus-Scanned: amavisd-new at mail.agileight.com
Received: from mail.agileight.com ([127.0.0.1]) by localhost (www.agileight.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id nD6e8urDQxDl; Fri, 9 Jan 2009 01:03:53 +0100 (CET)
Received: from [10.0.0.164] (78-131-55-134.static.hdsnet.hu [78.131.55.134]) by mail.agileight.com (Postfix) with ESMTP id A8ECA598092; Fri, 9 Jan 2009 01:03:53 +0100 (CET)
Message-ID: <49669464.3030100@epointsystem.org>
Date: Fri, 09 Jan 2009 01:03:48 +0100
From: "Daniel A. Nagy" <nagydani@epointsystem.org>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: IETF OpenPGP Working Group <ietf-openpgp@imc.org>
CC: Monkeysphere Developers <monkeysphere@lists.riseup.net>
Subject: Re: A review of hash function brittleness in OpenPGP
References: <49664D21.50403@fifthhorseman.net> <80b274790901081434t46718ad5vdc215590d000c26a@mail.gmail.com> <49668A41.1030402@fifthhorseman.net>
In-Reply-To: <49668A41.1030402@fifthhorseman.net>
X-Enigmail-Version: 0.95.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig38FEE6AF3B222376763F7771"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Daniel Kahn Gillmor wrote: > The X.509 community was able to respond by further deprecating MD5 > because there was a parameterized method in place to switch to another > hash function. OpenPGP currently has this in place almost everywhere a > hash function is used. That's good! As far as I can judge, X.509 PKI is still in the state of catastrophic failure with no obvious way out. Right now, if my browser (or yours, or anybody else's) tells me that the site I am browsing presented a certificate issued to it by a legitimate CA, I cannot be sure that this assertion is true. Rejecting all certificates with MD5 in their signatures is not a solution (there are too many out there and replacing them requires non-trivial cooperation between different parties; no-one can do it acting alone). Not issuing any more MD5-based certificates is not a solution (who knows how many rogue CAs are already out there?). In fact, I do not see an easy and cheap solution out of this mess. It is a good thought-experiment to assess the consequences of an existential collision attack on SHA1 such as the one we have for MD5 on OpenPGP security, considering all the places where SHA1 is wired in. I haven't checked every corner of RFC4880, but I can see no catastrophic failure akin to what happened to X.509 PKI. -- Daniel
- Re: A review of hash function brittleness in Open… Jon Callas
- A review of hash function brittleness in OpenPGP Daniel Kahn Gillmor
- Re: A review of hash function brittleness in Open… tz
- Re: A review of hash function brittleness in Open… Daniel A. Nagy
- Re: A review of hash function brittleness in Open… Daniel Kahn Gillmor
- Re: A review of hash function brittleness in Open… Daniel A. Nagy
- Re: A review of hash function brittleness in Open… Ben Laurie
- Re: A review of hash function brittleness in Open… Jon Callas
- Re: A review of hash function brittleness in Open… Florian Weimer
- Re: A review of hash function brittleness in Open… Peter Gutmann
- Re: A review of hash function brittleness in Open… Ben Laurie