Hashing Algorithm: Is your GPG configuration secure?
If your email messages are being signed using SHA-1 you may not be getting the security you think you are. Attacks on the hashing algorithm have caused much pain to those that use it. Luckily SHA-2 is available and hopefully we’ll start seeing SHA-3 out in the world soon.
You’ve probably already seen SHA-2 in the wild designated as SHA-224, SHA-256, SHA-384, and SHA-512. Because of the weaknesses found in SHA-1 it’s important to not use that algorithm any longer. That means when you generate hashes you shouldn’t use sha1sum but rather one of the SHA-2 tools: sha224sum, sha256sum, sha384sum, or sha512sum. Depending on the length of time you need to protect the data the strength of the hash will be important. A larger key will be more secure for a longer period of time than a shorter one.
GNU Privacy Guard (GPG) has a default of using SHA-1, however, unless you manually select another algorithm in your gpg.conf file (usually found in ~/.gnupg). To use something other than the default you should add the following lines:
personal-cipher-preferences AES256 TWOFISH AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP
These lines establish not only the preferences for which algorithms to use (for cipher, digest (hashing), and compression) but also in what order to use them. You can determine what algorithms are available to you by asking GPG in the command line:
$ gpg --version ... Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
GPG will show specifically what is supported based on what’s built into the code when the package was built.
Using the proper algorithm is important for maintaining a secure communications environment so do your research and use something in which you feel comfortable.