7

I've heard that SHA-1 hashing is becoming less secure, and that most GPG keys are secured with SHA-1. Is there a way to determined if SHA-1 is in my GPG key, and what to do if this is the case?

Jason
  • 1,339
  • 10
  • 17

3 Answers3

5

SHA-1 is only one of the many hashing algorithms available in the OpenPGP standard. You can (and should) choose better algorithms for signing documents or keys.

However, SHA-1 is the only algorithm used for generating an OpenPGP V4 fingerprint.

Is this an issue? I think not for the immediate future. There are two kinds of attacks on a hashing algorithm. Collision attacks allow the attacker to find two messages that have the same hash. Preimage attacks allow the attacker to find a message that hashes to a given hash.

Collision attacks on SHA-1, better than brute force, have been known for a long time and are getting better over time. Practical attacks are thought to be within the reach of well-funded organizations now, and will become cheaper over time due to Moore's law.

However, since PGP keys are usually generated by their users, collision attacks are not a problem. They might conceivably be a problem in contexts where someone's key is generated by a third party, which might occur in some corporate environments or other large organizations. It might also be a problem for any keyserver software that expects the fingerprint to be a unique key: someone could upload two keys with the same fingerprint and possibly bollix things up until the software is patched. (I don't know whether any keyserver software actually does this.)

Preimage attacks on SHA-1 could be a problem, if one only relies on the fingerprint. I can imagine various scenarios where an attacker could fool someone into accepting their key in place of another key. Alice downloads a key from somewhere and calls Bob to verify the fingerprint. An attacker organizes a keysigning party and substitutes their key for someone else's. Such attacks would be difficult, but feasible.

However, as far as I can tell, there's no prospect of a practical preimage attack on SHA-1 anytime soon. The best one I can find is Kelsey and Schneier's 2004 paper that finds a preimage in 2106 steps.

That said, SHA-1 is definitely showing its age, and you never know when a better attack will be found. I would be quite happy if the OpenPGP standard were amended to add a V5 fingerprint using SHA-2 or SHA-3. I hope people start working on that sometime soon.

Tom Zych
  • 270
  • 1
  • 11
3

'gpg --version' will show your prefs.

Add similar to gpg.conf (your prefs, of course):

personal-cipher-preferences AES256 TWOFISH AES192 AES

personal-digest-preferences SHA512 SHA384 SHA256

personal-compress-preferences ZLIB BZIP2 ZIP

As for your key, I don't have that answer. But, as your daily key should be a SUB, revoke the SUB and re-issue a new key. If it isn't a SUB, then you have a bigger problem.

Andy
  • 31
  • 1
1

GnuPG is an implementation of OpenPGP. You can use GnuPG(GPG) to encrypt and sign your data and messages. You can also use GPG to compute the hash of some data. When you do this you can choose what hashing algorithm you use. It looks like GPG supports a variety of algorithms including the "newer" SHA-2 functions.

You can use various ciphers to encrypt your data with GPG. When you encrypt you choose a passphrase. From this passphrase a key is generated. So if you use AES 256 the key will be 256 bits. The way that the key is generated from the passphrase is using the key scheduling. Some algorithms might use SHA1, but I don't believe that GnuPG does.

The one place where the hashing algorithm does come in is when signing. According to this random blog post (from 2013) GPG by default uses SHA1. But you can change this as alluded to in the other answer (and as described in the random blog post).

So in the end, you shouldn't have to worry because SHA1 doesn't have anything to do with the key.

Also, from what I understand SHA1 is still in general considered safe. I am guessing that many people are trying to get away from it because it has been around for a while. Even though he is a controversial figure, "Security expert" Steve Gibson discussed SHA1 on a recent episode of Security Now. This might be interesting (even though he might not actually be a "security expert"). (Please don't downvote just because you don't like Steve Gibson.) One point he makes is that when MD5 was found to be insecure, people were caught a bit by surprise. So to avoid this, some would suggest not to use SHA1 simply because it is too old and it is likely that it will crumble soon (if it hasn't already). And that is supposedly why Google will stop using SHA1 (see also here).

Some other interesting reading might be

Thomas
  • 3,861
  • 4
  • 22
  • 26