Re: [openpgp] Deprecating SHA1

Guillem Jover <guillem@hadrons.org> Fri, 23 October 2020 20:14 UTC

Return-Path: <guillem@hadrons.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 047893A0B1D for <openpgp@ietfa.amsl.com>; Fri, 23 Oct 2020 13:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hadrons.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4_ADKq2Ip1n for <openpgp@ietfa.amsl.com>; Fri, 23 Oct 2020 13:14:01 -0700 (PDT)
Received: from pulsar.hadrons.org (2.152.178.181.dyn.user.ono.com [2.152.178.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4660C3A0B1C for <openpgp@ietf.org>; Fri, 23 Oct 2020 13:14:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hadrons.org ; s=201908; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:From:Reply-To:Subject: Content-ID:Content-Description:X-Debbugs-Cc; bh=HS/thiCxE6Fbwz00+SjYmjD2fIWV+WYMvrkC8MapsPA=; b=cNpX0NMx0xH0hYTwt14iBAYhr5 /dz5wFcLsngFjIfdlC24JUkiBObrCX4YSpSd1Rh4C5OFOA33Xg30ixOG4eJZJt3EFU2SMHNdsxyOw 7OWLLoWY9Re/uiVTXAvoft4CJc+PC4Ii2hfyGYgbk42zBdZRghW2vBBh+MuWdxCB+u0Ncj1vt8p5a ltFe+uMGhVmKAVymmGrvE/mwOmEjHN5+cT6BgnMHX4xntaoHVlmoPlsrcInPIp54B59151gQCp0Ch S1QkJumcMJdgUmCDNljSsPf+kmd0NuSmylfRISu5DpKQouFIQCHVlwpgFUZawnTVOnJ63zKv61NOr sqJM3Qfg==;
Received: from guillem by pulsar.hadrons.org with local (Exim 4.92) (envelope-from <guillem@hadrons.org>) id 1kW3ck-00042c-Rf; Fri, 23 Oct 2020 22:25:18 +0200
Date: Fri, 23 Oct 2020 22:13:55 +0200
From: Guillem Jover <guillem@hadrons.org>
To: "Neal H. Walfield" <neal@walfield.org>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <20201023201355.GA72347@thunder.hadrons.org>
References: <87sga5xg03.wl-neal@walfield.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87sga5xg03.wl-neal@walfield.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Ff8Zs-13OMM6Xk7QpgjQmgcA0H4>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 20:14:04 -0000

Hi!

[ CCing the Debian keyring maintainers, that I'm not sure whether they are
  subscribed, and leaving enough quoted text for context. ]

On Fri, 2020-10-23 at 14:51:08 +0200, Neal H. Walfield wrote:
> I'm turning to this mailing list to seek advice about how to deal with
> SHA1-based self signatures.  I have two concrete questions, which are
> at the bottom of the email.  But first, I want to present the concrete
> problem and my thoughts so far.
> 
> 
> Based on the "SHA-1 is a Shambles" paper [1] we decided to change
> Sequoia to reject signatures that use SHA1 by default [2].  This
> includes both signatures over data, as well as self signatures of all
> kinds including primary key binding signatures (aka backsigs).
> 
>   [1] https://sha-mbles.github.io/
>   [2] https://docs.sequoia-pgp.org/sequoia_openpgp/policy/struct.StandardPolicy.html#method.reject_hash_at
> 
> A Secure Drop developer recently contacted us, and indicated that our
> policy was too strict: some of the Secure Drop installations have
> offline keys that use SHA1, and the users have no easy way (or lack
> the will) to update those keys.
> 
> This prompted me to investigate the use of SHA1 in general.
> Unfortunately, it appears that many actively used certificates from
> technically sophisticated users still rely on SHA1.  The results of my
> investigation are here:
> 
>   https://gitlab.com/sequoia-pgp/sequoia/-/issues/595
> 
[…]
> 
> Looking at the Debian Keyring, I found that:
> 
>   - 106 of the 884 certificate (12%) use SHA1 for all User ID binding
>     signatures and direct key signatures
> 
>   - 63 more (7%) use SHA1 to protect at least one non-revoked User ID.
> 
>   - 234 have a non-revoked, live signing capable subkey
> 
>     - 19 of those have binding signatures that use SHA1 in some way
>       (8%).
> 
>     - 9 use something stronger for the subkey binding signature, but
>       SHA1 for the backsig.  (This appears to be a bug in GnuPG, which
>       I reported [4].)
> 
>   [4] https://dev.gnupg.org/T5110
> 
> As Debian Developers are perhaps the most sophisticated OpenPGP users,
> this is pretty damning.
>
[…]
>
> Given these results, we decided to reevaluate our bad listing of SHA1.
> As the SHA1 paper indicates that SHA1's preimage resistance is not
> broken, I thought that we might be able to accept SHA1 for self
> signatures, and not for documents [6].  But, Azul pointed out [7] that
> Mallory could create a collision for a document and a self-signature,
> and then convince Alice to sign the document.  This could work in
> practice because Mallory can predict everything in the signature, but
> the timestamp, and if Alice is an automated signing service, there is
> a good chance that Mallory would be able to get Alice to sign the
> document at the right time.
> 
>   [6] https://gitlab.com/sequoia-pgp/sequoia/-/issues/595
>   [7] https://gitlab.com/sequoia-pgp/sequoia/-/issues/595#note_433768966
>
[…]
>
> So, two questions:
> 
>   - Does anyone see a safe way to accept SHA1 self-signatures today?
>     Or (ouch!), if we want to be safe, do we have to convince ~10% of
>     the sophisticated OpenPGP users to re-sign or regenerate their
>     keys?
[…]

Regards,
Guillem