If your email messages are being signed using
SHA-1 you may not be getting
the security you think you are.
Attacks on the hashing
algorithm have caused much pain to those that use it. Luckily
SHA-2 is available and
hopefully we'll start seeing
SHA-3 out in the world soon.
You've probably already seen SHA-2 in the wild designated as SHA-224,
SHA-256, SHA-384, and SHA-512. Because of the weaknesses found in SHA-1
it's important to not use that algorithm any longer. That means when
you generate hashes you shouldn't use sha1sum but rather one of the
SHA-2 tools: sha224sum, sha256sum, sha384sum, or sha512sum. Depending
on the length of time you need to protect the data the strength of the
hash will be important. A larger key will be more secure for a longer
period of time than a shorter one.
GNU Privacy Guard
(GPG) has a default of using SHA-1, however, unless you manually select
another algorithm in your gpg.conf file (usually found in ~/.gnupg). To
use something other than the default you should add the following lines:
personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP
These lines establish not only the preferences for which algorithms to
use (for cipher, digest (hashing), and compression) but also in what
order to use them. You can determine what algorithms are available to
you by asking GPG in the command line:
$ gpg --version
...
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
GPG will show specifically what is supported based on what's built into
the code when the package was built.
Using the proper algorithm is important for maintaining a secure
communications environment so do your research and use something in
which you feel comfortable.