PGP Corporation is planning to migrate to a more secure version of the Secure Hash Algorithm (SHA) in the upcoming releases of its PGP Desktop and PGP Universal encryption solutions. According to a report released this week by a team at Shandong University in China, the SHA-1 algorithm that supports the digital signatures used in popular SSL browser security and encryption can be successfully attacked. The same team helped break MD5, another commonly used cryptographic hash algorithm, in August 2004.
According to the company, all PGP products are architected to allow for rapid and non-disruptive migration of all encryption, hash, compression, and signature algorithms. PGP Corporation began planning the migration to more secure hash algorithms after MD5 was compromised last year. Jon Callas, CTO & CSO of PGP Corporation addressed the company's design philosophy in a September 2004 CTO Corner article entitled "Much ado about hash functions" . At the same time, PGP engineers began implementing a shift from SHA-1 to the stronger algorithms (SHA-256 and SHA-512) while preserving interoperability with existing software. The upcoming releases of PGP Desktop and PGP Universal will allow users to select from a broader range of authentication options.
"The work done by the University of Shandong team is in the finest tradition of cryptoanalytic peer review," said Callas. "The best minds continually review existing algorithms, identify issues that need to be addressed, and the entire community of vendors and users benefits. We will continue to monitor the cryptographic integrity of the algorithms used in PGP products and upgrade them as required to provide our customers with the most secure information security solutions available."