Re: [Sam Hartman] Openpgp comments (Daniel A. Nagy) Tue, 19 September 2006 23:14 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GPonP-0003Zu-1l for; Tue, 19 Sep 2006 19:14:31 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1GPonN-0005cg-FQ for; Tue, 19 Sep 2006 19:14:30 -0400
Received: from (localhost []) by (8.13.5/8.13.5) with ESMTP id k8JMkMIj013208; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.13.5/8.13.5/Submit) id k8JMkMKr013207; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.13.5/8.13.5) with ESMTP id k8JMkKJG013199 for <>; Tue, 19 Sep 2006 15:46:21 -0700 (MST) (envelope-from
Received: by (Postfix, from userid 1001) id 6F1BB3B2F; Wed, 20 Sep 2006 00:45:38 +0200 (CEST)
Date: Wed, 20 Sep 2006 00:45:38 +0200
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <>
References: <> <>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.9i
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64

On Mon, Sep 18, 2006 at 10:33:32PM -0400, David Shaw wrote:
> On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote:
> > The second issue is the encryption with integrity packet.  Today this
> > is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
> > for that and I think we need to support SHA-256 now.
> Does the MDC actually need collision resistance?  I was under the
> impression that (like the secret key "S2K 254" use of SHA-1) this was
> essentially a checksum and the recent attacks against SHA-1 did not
> apply.

I have just discussed this issue with my students at our cryptography
seminar. The general consensus is that MDCs do not need collision
resistance. Thus, SHA1 is secure with a huge security margin. The recent
weakening of SHA1 means that finding a pre-image takes approx 2^138
attempts, which is still comfortably beyond reach for today's and tomorrow's
technology. Introducing longer hashes would make it slower, while not
improving security. If you insist, I can provide the complete reasoning why
collision-resistance is not required for MDC.

 If anything, I would consider RIPEMD128, as it is faster than SHA1 and
offers about the same level of security while being a bit shorter. But
then again, there's no reason to mess with the standard as it is.