Just in case you haven’t heard of it, there’s a new attack vector on the SHA-1 hash algorithm. This is causing all kinds of havoc in communities that use PGP signatures, since signatures are created with this hash function by default. As an accessory to this, GnuPG’s defaults for a key result in a key such that you cannot use the SHA-2 family of functions (you cannot use anything with more than 160 bits, or, more precisely, you can but it gets truncated), so you’re basically stuck with SHA-1 or RIPEMD/160.
But this is not what I wanted to talk about. There’s really way too much information on this regard on the net already (I’ll give some pointers in the references section of this article). Instead, I’m worried about something else.
See, you can get around the issue of creating signatures with any other hash algorithm you want if you use GnuPG, by specifying the desired function on your ~/.gnupg/gpg.conf via the personal-digest-preferences parameter. This is even OpenPGP compatible to some degree.
The real deal, and what really troubles me, is that the only hash function that you are required to implement in order to be OpenPGP compatible is SHA-1. It is the only one that gets forcibly added to your preferences if you leave it away. So, for a message to be understandable by any OpenPGP application, you should stick to it.
This is even worse for certifications. You can force a hash function for them, but this totally breaks the standard. As the GnuPG man page states, “It is important to be aware that not all OpenPGP implement these optional algorithms and that by forcing their use via the -cipher-algo, -digest-algo, -cert-digest-algo, or -compress-algo options in GnuPG, it is possible to create a perfectly valid OpenPGP message, but one that cannot be read by the intended recipient.”
So, what should be done against this issue? I’m a standards advocate, and am not willing to break them. I think the right solution to this issue must come from the committee that writes OpenPGP standards, whose name eludes me right now.
All this said, I’m kind of lost. For starters, I’ll be updating my key’s preferences. Also I’m considering revoking my 1024 bits DSA signing subkey, as it seems to fall in the deprecated category for me now. Luckily, I didn’t follow the defaults for the primary key, so I’m all right there. I should be creating a new signing key to replace it, capable of using any hash function. And I may be publishing a statement in my site, signed by my primary key, regarding these changes. This also forces me to update my signature and certification policies.
I follow the GnuPG mailing lists religiously, and the most respected users there claim we shouldn’t worry about this for the time being. GnuPG’s developers are included among those people. Still I can’t shake off this sensation of dead-end situation. Anyways, it seems like we still have some time to think before acting.
References Link to heading
- RFC 4880: OpenPGP Message Format.
- gnupg-users: David Shaw explains hash truncating in DSA keys.
- Debian Administration: HOWTO migrate off SHA-1 in OpenPGP.
- man gpg.