SHA1 is epic fail (aka new keys)

Douglass Clem — Thu, 21 May 2009 20:00:59 +0000

I seem to have the worst of luck, in that shortly after I created new GPG keys and published them, someone found a new attack on the SHA1 hash algorithm. This attack is such that someone could probably pull it off if they had the financial resources of a government or large organization. Therefore, I’ve made a new key, 4096 RSA. The key is on the public internets, and is signed by my old key. I will be keeping my old key active until my purchase of 250 business cards runs out, at which point that key will expire. Please make sure to send all emails with my new key.

Also, it is a good idea to use better hash algorithms than SHA1. To do this automatically, simply put the following lines at the end of your .gnupg/gpg.conf file:
personal-digest-preferences SHA256
cert-digest-algo SHA256

Old key fingerprint: E1F6 ADF3 88B4 E5C4 E3B1
New key fingerprint: 37F9 E685 576A CFD3 B08C

P.S.

I had planned on having an inline signature with this blog post, but GPG and/or WordPress and/or Firefox and FireGPG have foiled my plans. Click here to see a text document containing this post plus valid signatures from my old new key and my new new key.

crashsystems.net » encryption

SHA1 is epic fail (aka new keys)