Ubuntu
gnupg package

GnuPG uses SHA1 for key signatures

Bug #1288293 reported by xor
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnupg (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

(SHA1 is generally considered broken since 2005!)

Used software:
Kubuntu 13.10 amd64
GnuPG package Version: 1.4.14-1ubuntu2.1 (taken from dpkg --status gnupg),

Reproducing instructions:
Generate two keys using default key parameters:
$ gpg --homedir test --gen-key
$ gpg --homedir test --gen-key

Sign one key with the other:
$ gpg --edit-key name-of-first-key
sign
quit

Dump the signed key:
gpg --homedir test --export name-of-first-key | gpg --homedir test --list-packets

You will now notice that all signatures, and therefore even the self-signatures, use "digest algo 2".
This is SHA1:
http://tools.ietf.org/html/rfc4880#section-9.4

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
xor (xor) wrote :

Sorry, there were two glitches in the original instructions:
- You need to generate the GPG home directory before ($ mkdir test), otherwise key generation will fail.

- The "$ gpg --edit-key name-of-first-key" should instead be "$ gpg --homedir test --local-user name-of-second-key -edit-key name-of-first-key". I.e. the home directory was not specified, and you need to tell GPG to use the *second key* for signing the first.

Revision history for this message
xor (xor) wrote :

Damn, another typo in the previous comment ("-edit-key" instead of "--edit-key"). Sorry sorry. Here is everything fixed with reduced line count:
$ mkdir test
$ gpg --homedir test --gen-key
$ gpg --homedir test --gen-key
$ gpg --homedir test --local-user name-of-second-key --sign-key name-of-first-key
$ gpg --homedir test --export name-of-first-key | gpg --homedir test --list-packets

Revision history for this message
xor (xor) wrote :

"As of 2012, the most efficient attack against SHA-1 is considered to be the one by Marc Stevens[32] with an estimated cost of $2.77M to break a single hash value by renting CPU power from cloud servers.[33] Stevens developed this attack in a project called HashClash,[34] implementing a differential path attack. On 8 November 2010, he claimed he had a fully working near-collision attack against full SHA-1 working with an estimated complexity equivalent to 2^57.5 SHA-1 compressions. He estimates this attack can be extended to a full collision with a complexity around 2^61."

Source: http://en.wikipedia.org/w/index.php?title=SHA-1&oldid=598619464#Attacks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for opening this bug.

Please report this issue in the upstream bug tracker:

https://bugs.g10code.com/gnupg/index

Once you've done that, link the upstream bug here. Thanks.

Changed in gnupg (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.