e-ignite

It’s been widely published that certain SHA algorithms (used to digitally sign your email) are becoming less and less secure. For example, it’s been proved that the md5 algorithm (widely used for file verification) has been broken. The newer SHA algorithm was also discovered to be very weak when subjected to Cryptographic attack - this lead to a new version of SHA being released called SHA-1 (the original version is now known as SHA-0 and is virtually never used). SHA-1 is a 160 bit hash, and it has been found to have some severe weaknesses too.

But what does this actually mean? Well, it means that someone could potentially “fake” a file or email signature, leading you to download a malicious file (for example they may include a virus or security hole in some software, and this fake file would still be verified by the original md5 sum), or they may be able to send an email with a faked email address and signature, making you think the email is from a reputable source. This could potentailly lead you to give out some sensetive information to someone who shouldn’t get the information. This could compromise businesses through pre-release information etc, or home users if used as part of a complex phishing attack.

So is something being done about this? Well, the short answer is yes.

Currently, there are new, more secure hash algorithms available such as SHA-256 and SHA-512 which do not have the same problems as their predecessors. However, these are no use to anyone who still uses a DSA key. DSA signing keys require the use of a 160 bit hash function - ie. SHA-1 or RIPEMD160. These are not as secure (and in the case of SHA-1 may even be broken) as the newer hash algorithms. The newest cvs versions of GnuPG allow users to make use of DSA-2 - this is a DSA key that enables the use of a truncated hash, meaning you can use, for example, SHA-256 with your DSA keys.

The newest cvs versions of GnuPG also include the new SHA-224 algorithm, specifically targetted at DSA-2 keys. This hash algorithm is, again, much stronger than the older 160 bit hash functions, allowing DSA keys to continue to be useful.

So here’s the Geeky part: How do you use the new SHA functions with your DSA keys? Well, you will need to download and/or compile the latest cvs release of GnuPG. Then, you simply run the program as normal and include the command “gpg –enable-dsa2″. Please note however, unless you know what you’re doing and you’ve used the GnuPG Comand Line before, this isn’t a simple process.

Instead, you could wait a (very) short time for the forthcoming release of Mobility Email which comes with these features pre-installed and active.

Questions or comments? Feel free to add them here.