OpenPGP - MDC Packet - SHA1

[tomehb]

OpenPGP Standard RFC 4880 (Not Totally a Linux Question, but as I may be using GnuPG on Linux... I will ask anyhow


The Modification Detection Code Packet is defined to use SHA-1, even though it does state in section 13.11. that this can be altered, and gives example methods. However this would cause interoperability, (q1)so I assume there is no standard method of doing this??

(q2)How much of a threat do you believe this to be? Even though the SHA-1 hash is encrypted within the symmetrically encrypted integrity protected data packet.


Cheers

Thomas

[psic]

I don't know about your first question (though I would say your assumption is correct), but as for the second, according to Wikipedia (which quotes Bruce Shneier, who is quite a security guru):

SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely-used security applications and protocols. In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable.

I use GnuPG myself (just for email for now, with the Claws email client), but I really can't imagine having any information which would be worth enough for someone to take the time and try to crack the encryption. So no, I don't see this as a problem.

ps. though IANAM - I am not a mathematician