Re: [openpgp] Deprecating SHA1

"brian m. carlson" <sandals@crustytoothpaste.net> Sat, 24 October 2020 16:54 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 824503A0ECC for <openpgp@ietfa.amsl.com>; Sat, 24 Oct 2020 09:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LOTS_OF_MONEY=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-3H5LY1u2Df for <openpgp@ietfa.amsl.com>; Sat, 24 Oct 2020 09:54:02 -0700 (PDT)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B63B3A0ECA for <openpgp@ietf.org>; Sat, 24 Oct 2020 09:54:02 -0700 (PDT)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:b610:a2f0:36c1:12e3]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id EC4C160479; Sat, 24 Oct 2020 16:54:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1603558441; bh=l8nQMi/nHrf/eQyFKcQnEIQQayS4jSe2mj6BWlR2Krw=; h=Date:From:To:Cc:Subject:References:Content-Type: Content-Disposition:In-Reply-To:From:Reply-To:Subject:Date:To:CC: Resent-Date:Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=DtQ7wZuSnTvqjUO0AL5FQf7j0QpsuIBDTNQMtudLUi/+1JXKxIsr6xBP44cDpQa7s QrGIzdmjJfSYxN48v5pMRfXS5Ffdm1M3c4YkWlKXf2zfOVzoxcwOq6yZqrXuhO8GNJ eVz6f4j4URwJPrwFWsQ6ybswoRmkFkIyVwfmGlc+ueYyH5MlP41hVF9wdI+EKN6U4E 7MHco99OxJLKpsZXpZ2BIi/8CJTjoKFFUNWTZA7lol07xZtjj7408f9z3LmNiqNXsa /gN+7F6x6slnbJ8xwJ2lF2Z7RJg4uz7B8OuWXkTys1zDO2Cam/fZOms2xXQyjItbA/ wwhwO+k78e+WjiuoyMpknjYm66Rorhtu3aQo4vi3nct/xBAnXL1aPng5blrl7t3Jdi qDSq/MZGRJf+PWMmYS50wyzy6vCBX5SFWJStXiyAkNQko0HpUKULcV/Zt1JnlW5O+v H4rtzOniTyUOFpXvkJ1bk7CcuU6nuj/eqH0W5uUNlnnnuN/VjbH
Date: Sat, 24 Oct 2020 16:53:54 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: "Neal H. Walfield" <neal@walfield.org>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <20201024165354.GD860779@camp.crustytoothpaste.net>
References: <87sga5xg03.wl-neal@walfield.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="EY/WZ/HvNxOox07X"
Content-Disposition: inline
In-Reply-To: <87sga5xg03.wl-neal@walfield.org>
User-Agent: Mutt/1.14.6 (2020-07-11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/akttNyMt6vXEvqSDT8CTd_ASLNs>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Oct 2020 16:54:04 -0000

On 2020-10-23 at 12:51:08, Neal H. Walfield wrote:
> So, two questions:
> 
>   - Does anyone see a safe way to accept SHA1 self-signatures today?
>     Or (ouch!), if we want to be safe, do we have to convince ~10% of
>     the sophisticated OpenPGP users to re-sign or regenerate their
>     keys?

I think the time for transition with SHA-1 is gone.  The algorithm is
estimated to be attackable for $45,000.  A thrifty and reasonably
well-paid software engineer could put that away in a year or less.  It's
within the budget of almost any medium or large business.

We should soundly bludgeon SHA-1 over the head and let it die.  I'd
propose stating that implementations MUST NOT accept signatures made
with MD5 or SHA-1 in RFC 4880 bis.  Both have been known to be weak for
a long time.  It will be painful, but we're not helping anyone by
continuing to accept weak algorithms.

I should point out that GnuPG has shipped with SHA-256 since
approximately 2002 and SHA-384 and SHA-512 since at least 2007.  That
means everyone using any major operating system that still has security
support should be able to verify newer signatures.

If we're provident, we'll specify some version of SHA-3 to be a SHOULD.
Cryptanalysis is advancing on SHA-2.

>   - What do people think about including a salt in the hash to make
>     the content of the hash less predictable as described in [7]?

I know not everyone will agree, but I prefer deterministic signatures.
There are use cases for OpenPGP with systems with little or no entropy
using Ed25519 or deterministic ECDSA for signing.  Smart cards come to
mind, for example.

Additionally, I don't think a salt is proof that a signature doesn't
have a collision.  If the salt is generated by the attacker, then it can
easily be part of the collision.  That could easily be the case if the
signature came from a smart card or embedded device, where the salt
might not be generated on the card.  We therefore cannot rely on it as
evidence that a signature using a weak algorithm is secure.
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US