Re: [openpgp] Followup on fingerprints

[Derek Atkins <derek@ihtfp.com>]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> The current OpenPGP fingerprint mechanism (in RFC 4880) uses SHA-1,
> which is a 160-bit digest.  SHA-1's collision resistance is believed to
> be weaker than the 2^80 work factor that an ideal 160-bit digest should
> have.  But that doesn't mean that it is necessarily "broken" for
> OpenPGP, if there is no way to exploit a collision atack on fingerprints
> in general.

Indeed, while the SHA-1 collision resistance appears to be less than
2^80, there does not seem to be any known attacks that would make a
preimage attack any easier, which means the way OpenPGP uses SHA-1 for
fingerprints is still, technically, secure.

The real issue is one of education.  It's probably easier to move to
SHA2 than explain why the OpenPGP use of SHA-1 for fingerprints isn't
broken.

> That said, the general cryptographic advice on SHA-1 is "don't use it",
> so while sticking with SHA-1 may not be a problem for this specific
> case, it is a distraction from the cryptanalysis to have to have this
> kind of discussion ("actually, maybe it's ok in this particular use")
> whenever it comes up.
>
> Our constraints in the WG here are also bound by UI concerns -- the
> fingerprint mechanism is one used by humans, and humans have a limited
> capacity to process and handle long high-entropy bitstrings (regardless
> of their representation).  So we're really trying to navigate a
> multidimensional design space here when we talk about what to do for
> fingerprints.
>
> I'll try to start a new thread that identifies those choices more
> clearly, and ask people to weigh in on simpler questions about
> fingerprints rather than having everything tangled up.
>
>              --dkg

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant