From: <Paul.Koning@dell.com>
To: <richard.guenther@gmail.com>
Cc: <r030t1@gmail.com>, <binutils@sourceware.org>, <gcc@gcc.gnu.org>,
<gdb@sourceware.org>
Subject: Re: Release Signing Keys are Susceptible to Attack
Date: Thu, 17 Aug 2017 13:09:00 -0000 [thread overview]
Message-ID: <01A2706F-1696-4D2E-A896-27C157055FE2@dell.com> (raw)
In-Reply-To: <CAFiYyc1v=E+0FHp9yF6oM-j8HMNDgrQ9Q3yNAa0vQ52ejYfT6A@mail.gmail.com>
> On Aug 17, 2017, at 4:39 AM, Richard Biener <richard.guenther@gmail.com> wrote:
>
> On Thu, Aug 17, 2017 at 4:23 AM, R0b0t1 <r030t1@gmail.com> wrote:
>> After downloading and verifying the releases on
>> ftp://ftp.gnu.org/gnu/, I found that the maintainers used 1024 bit DSA
>> keys with SHA1 content digests. 1024 bit keys are considered to be
>> susceptible to realistic attacks, and SHA1 has been considered broken
>> for some time.
>>
>> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf, p17
>> https://shattered.io/
>>
>> SHA1 is weak enough that a team of researchers was able to mount a
>> realistic attack at no great cost.
I agree that 1024 bit RSA or DSA keys are not a good idea. Since DSA is fixed at 1024 bits, that means DSA is obsolete. Fortunately RSA can use any key size (if you wait for it), and 2048 is a good choice at the moment.
As for SHA1, your statement misses some critical detail. There are two basic attacks on hash functions:
1. Construct a pair of messages that have the same hash.
2. Given message X, construct message Y different from X that has the same hash.
What has been demonstrated is #1. But that doesn't break signatures of existing data -- only #2 would. #2 is much harder and has not been demonstrated. It is true that #1 is a significant weakness and indicates SHA1 is at risk, but there is no emergency relating to the use of SHA1 in digital signatures of data such as GCC kits.
> It looks like gpg2 uses SHA1 as digest algorithm by default. I use
> a 2048bit RSA for signing, that should be ok, no?
>
> I suggest to report the issue to gnupg upstream (I'm using 2.0.24
> with libgcrypt version 1.6.1). It looks like the OpenPGP standard
> mandates SHA1 here and using --digest-algo is stronly advised
> against for interoperability reasons.
In spite of what I said above about SHA1, I would argue that warning is obsolete and the spec needs to be updated accordingly. Current gpg clearly supports SHA-2 (as "sha256", "sha384" and "sha512") and it would make sense to use it.
If you want to be extra accommodating, you could publish signatures both with sha512 and with sha1, the latter not quite as strong but available for those who can't handle the newer algorithm.
paul
prev parent reply other threads:[~2017-08-17 13:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-17 2:23 R0b0t1
2017-08-17 8:39 ` Richard Biener
2017-08-17 13:09 ` Paul.Koning [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01A2706F-1696-4D2E-A896-27C157055FE2@dell.com \
--to=paul.koning@dell.com \
--cc=binutils@sourceware.org \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=r030t1@gmail.com \
--cc=richard.guenther@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox