From: "C. Scott Ananian" <cscott@cscott.net>
To: omb@bluewin.ch
Cc: David Lang <david.lang@digitalinsight.com>,
Ingo Molnar <mingo@elte.hu>,
git@vger.kernel.org
Subject: Re: SHA1 hash safety
Date: Sat, 16 Apr 2005 10:58:15 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.61.0504161040310.29343@cag.csail.mit.edu> (raw)
In-Reply-To: <4261132A.3090907@khandalf.com>
On Sat, 16 Apr 2005, Brian O'Mahoney wrote:
> (1) I _have_ seen real-life collisions with MD5, in the context of
> Document management systems containing ~10^6 ms-WORD documents.
Dude! You could have been *famous*! Why the
aitch-ee-double-hockey-sticks didn't you publish this when you found it?
Seriously, man.
Even given the known weaknesses in MD5, it would take much more than a
million documents to find MD5 collisions. I can only conclude that the
hash was being used incorrectly; most likely truncated (my wild-ass guess
would be to 32 bits; a collision is likely with > 50% probability in a
million document store for a hash of less than 40 bits).
I know the current state of the art here. It's going to take more than
just hearsay to convince me that full 128-bit MD5 collisions are likely.
I believe there are only two or so known to exist so far, and those were
found by a research team in China (which, yes, is fairly famous among the
cryptographic community now after publishing a paper consisting of little
apart from the two collisions themselves).
Please, let's talk about hash collisions responsibly. I posted earlier
about the *actual computed probability* of finding two files with an SHA-1
collision before the sun goes supernova. It's 10^28 to 1 against.
The recent cryptographic works has shown that there are certain situations
where a decent amount of computer work (2^69 operations) can produce two
sequences with the same hash, but these sequences are not freely chosen;
they've got very specific structure. This attack does not apply to
(effectively) random files sitting in a SCM.
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
That said, Linux's widespread use means that it may not be unimaginable
for an attacker to devote this amount of resources to an attack, which
would probably involve first committing some specially structured file to
the SCM (but would Linus accept it?) and then silently corrupting said
file via a SHA1 collision to toggle some bits (which would presumably Do
Evil). Thus hashes other than SHA1 really ought to be considered...
...but the cryptographic community has not yet come to a conclusion on
what the replacement ought to be. These attacks are so new that we don't
really understand what it is about the structure of SHA1 which makes them
possible, which makes it hard to determine which other hashes are
similarly vulnerable. It will take time.
I believe Linus has already stated on this list that his plan is to
eventually provide a tool for bulk migration of an existing SHA1 git
repository to a new hash type. Basically munging through the repository
in bulk, replacing all the hashes. This seems a perfectly adequate
strategy at the moment.
--scott
WASHTUB Panama Minister Moscow explosives KUGOWN hack Marxist LPMEDLEY
genetic immediate radar SCRANTON COBRA JANE KGB Shoal Bay atomic Bejing
( http://cscott.net/ )
next prev parent reply other threads:[~2005-04-16 14:56 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-16 12:24 SHA1 hash safety David Lang
2005-04-16 12:31 ` Ingo Molnar
2005-04-16 12:48 ` David Lang
2005-04-16 13:29 ` Brian O'Mahoney
2005-04-16 14:58 ` C. Scott Ananian [this message]
2005-04-16 15:11 ` Petr Baudis
2005-04-16 15:36 ` C. Scott Ananian
2005-04-16 22:56 ` David Lang
2005-04-16 23:11 ` Paul Jackson
2005-04-16 23:18 ` Martin Mares
2005-04-17 4:38 ` David A. Wheeler
2005-04-18 0:09 ` Theodore Ts'o
2005-04-16 15:49 ` ross
2005-04-17 6:35 ` Horst von Brand
2005-04-18 2:07 ` Brian O'Mahoney
2005-04-18 16:50 ` C. Scott Ananian
2005-04-16 19:16 ` Paul Jackson
2005-04-16 21:35 ` Brian O'Mahoney
2005-04-18 7:43 ` Andy Isaacson
2005-04-18 17:04 ` C. Scott Ananian
2005-04-19 22:30 ` David Meybohm
2005-04-19 22:48 ` C. Scott Ananian
2005-04-20 18:56 ` David Meybohm
2005-04-16 22:46 ` David Lang
2005-04-16 23:14 ` Paul Jackson
2005-04-16 22:33 ` David Lang
2005-04-17 3:23 ` Tkil
2005-04-17 4:09 ` Paul Jackson
2005-04-17 4:43 ` Tkil
2005-04-17 5:09 ` Paul Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.61.0504161040310.29343@cag.csail.mit.edu \
--to=cscott@cscott.net \
--cc=david.lang@digitalinsight.com \
--cc=git@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=omb@bluewin.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).