[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: how close is OpenPGP tied to SHA1



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Feb 2, 2009, at 5:14 AM, Peter Thomas wrote:

>
> Hi Daniel.
>
> On Mon, Feb 2, 2009 at 2:59 AM, Daniel Kahn Gillmor
> <dkg@xxxxxxxxxxxxxxxxx> wrote:
>> This was just discussed on the list last month in a thread titled "A
>> review of hash function brittleness in OpenPGP":
> Thanks for that pointer.
>
>> Proposals?
> Well,.. not really ;-)
> The first question would be: Are SHA2 algorithms really more secure
> than SHA1?

Yes.

> If so one could think to switch for example to SHA512.

You could. This is what most people are doing.

>
> Or even wait for SHA3.

This is likely the best answer.

>
> Or are there any other promising hash functions? Whirlpool?

Whirlpool is in my opinion a 2005 answer, not a 2009 answer. The  
problem with Whirlpool is that it's slow, and still not as well  
examined as SHA2.

Nonetheless, I've heard tell that someone is working on a Whirlpool I- 
D, which isn't a bad thing, but is arguably unneeded presently.

	Jon

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII

wj8DBQFJhzXSsTedWZOD3gYRAtnjAJ4jMDgb4Mo8IvmwrDm2/6VoErPDRQCePy0H
iVfu1LkaNDzGbiQG3tJR6Ss=
=45R0
-----END PGP SIGNATURE-----