Why GPG subkeys must die

I’ve always looked at GPG subkeys with a bit of fascination, thinking it’s the thing that separates GPG aristocrats from ignorant crypto-peasants like myself. Turns out that, while the idea of having master and slave keys is cryptographically sound, the GPG implementation is insecure.

As usual, #bitcoin-assets has it, and tells us exactly why.

Yes, the reason is simply that what glues the master and the sub together, is a SHA1 hash. According to Schneier it cost ~$3mn in 2012 to find an arbitrary SHA1 collision. That alone is grounds to burn the whole thing down.

Now imagine what the figure has become in 2015, when the Bitcoin-world has spent the last six years relentlessly looking for more efficient ways to bruteforce the living crap out of SHA2.

One of the reasons, among others, that re-doing GPG has been on #b-a’s TODO for a while.

1 thought on “Why GPG subkeys must die

  1. none

    I’m not freaking out yet.

    1) finding a free collision is much easier than finding a preimage, and unless I’m mistaken you need a preimage to spoof a subkey.

    2) I think that $3M figure was not based on brute force search, but rather on a cryptanalytic attack that makes the break much faster than brute force. The Bitcoin community has been brute forcing SHA2 like crazy as you say, but I don’t think it has put much effort into cryptanalysis. So I don’t know the long term status of SHA2. I do think SHA3 happened because doubts about SHA2 in the cryptology world.


Leave a Reply

Your email address will not be published. Required fields are marked *