Re: [Sam Hartman] Openpgp comments

nagydani@epointsystem.org (Daniel A. Nagy) Tue, 19 September 2006 23:14 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPonP-0003Zu-1l for openpgp-archive@lists.ietf.org; Tue, 19 Sep 2006 19:14:31 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPonN-0005cg-FQ for openpgp-archive@lists.ietf.org; Tue, 19 Sep 2006 19:14:30 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMkMIj013208; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JMkMKr013207; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMkKJG013199 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:46:21 -0700 (MST) (envelope-from nagydani@epointsystem.org)
Received: by mail.epointsystem.org (Postfix, from userid 1001) id 6F1BB3B2F; Wed, 20 Sep 2006 00:45:38 +0200 (CEST)
Date: Wed, 20 Sep 2006 00:45:38 +0200
To: ietf-openpgp@imc.org
Subject: Re: [Sam Hartman] Openpgp comments
Message-ID: <20060919224538.GA8290@epointsystem.org>
References: <sjmd59txlnv.fsf@cliodev.pgp.com> <20060919023332.GA30748@jabberwocky.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr"
Content-Disposition: inline
In-Reply-To: <20060919023332.GA30748@jabberwocky.com>
User-Agent: Mutt/1.5.9i
From: nagydani@epointsystem.org (Daniel A. Nagy)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64

On Mon, Sep 18, 2006 at 10:33:32PM -0400, David Shaw wrote:
> 
> On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote:
> 
> > The second issue is the encryption with integrity packet.  Today this
> > is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
> > for that and I think we need to support SHA-256 now.
> 
> Does the MDC actually need collision resistance?  I was under the
> impression that (like the secret key "S2K 254" use of SHA-1) this was
> essentially a checksum and the recent attacks against SHA-1 did not
> apply.

I have just discussed this issue with my students at our cryptography
seminar. The general consensus is that MDCs do not need collision
resistance. Thus, SHA1 is secure with a huge security margin. The recent
weakening of SHA1 means that finding a pre-image takes approx 2^138
attempts, which is still comfortably beyond reach for today's and tomorrow's
technology. Introducing longer hashes would make it slower, while not
improving security. If you insist, I can provide the complete reasoning why
collision-resistance is not required for MDC.

 If anything, I would consider RIPEMD128, as it is faster than SHA1 and
offers about the same level of security while being a bit shorter. But
then again, there's no reason to mess with the standard as it is.

-- 
Daniel