From: Morten Welinder <mwelinder@gmail.com>
To: Jeff King <peff@peff.net>
Cc: "Geert Uytterhoeven" <geert@linux-m68k.org>,
"Thomas Braun" <thomas.braun@virtuell-zuhause.de>,
"Jakub Narębski" <jnareb@gmail.com>, "Joey Hess" <id@joeyh.name>,
"Git Mailing List" <git@vger.kernel.org>
Subject: Re: SHA1 collisions found
Date: Mon, 27 Feb 2017 07:39:15 -0500 [thread overview]
Message-ID: <CANv4PNm4v7-m=UFUtFutdi2JkV7biV68hAaP=AFOYnz9J37VTw@mail.gmail.com> (raw)
In-Reply-To: <20170227104338.qfaaktf3or4hwfw7@sigill.intra.peff.net>
Just swap in md5 in place of sha1. Pad with '0'. That'll give you
all the collisions you want and none of those you don't want.
On Mon, Feb 27, 2017 at 5:43 AM, Jeff King <peff@peff.net> wrote:
> On Mon, Feb 27, 2017 at 10:57:37AM +0100, Geert Uytterhoeven wrote:
>
>> > Yeah, that is a lot more flexible for experimenting. Though I'd think
>> > you'd probably want more than 4 bits just to avoid accidental
>> > collisions. Something like 24 bits gives you some breathing space (you'd
>> > expect a random collision after 4096 objects), but it's still easy to
>> > do a preimage attack if you need to.
>>
>> Just shortening the hash causes lots of collisions between objects of
>> different types. While it's valuable to test git behavior for those cases, you
>> probably want some way to explicitly test collisions that do not change
>> the object type, as they're not trivial to detect.
>
> Right, that's why I'm suggesting to make a longer truncation so that
> you don't get accidental collisions, but can still find a few specific
> ones for your testing.
>
> 24 bits is enough to make toy repositories. If you wanted to store a
> real repository with the truncated sha1s, you might use 36 bits (that's
> 9 hex characters, which is enough for git.git to avoid any accidental
> collisions). But you can still find a collision via brute force in 2^18
> tries, which is not so bad.
>
> I.e., something like:
>
> diff --git a/block-sha1/sha1.c b/block-sha1/sha1.c
> index 22b125cf8..9158e39ed 100644
> --- a/block-sha1/sha1.c
> +++ b/block-sha1/sha1.c
> @@ -233,6 +233,10 @@ void blk_SHA1_Update(blk_SHA_CTX *ctx, const void *data, unsigned long len)
>
> void blk_SHA1_Final(unsigned char hashout[20], blk_SHA_CTX *ctx)
> {
> + /* copy out only the first 36 bits */
> + static const uint32_t mask_bits[5] = {
> + 0xffffffff, 0xf0000000
> + };
> static const unsigned char pad[64] = { 0x80 };
> unsigned int padlen[2];
> int i;
> @@ -247,5 +251,5 @@ void blk_SHA1_Final(unsigned char hashout[20], blk_SHA_CTX *ctx)
>
> /* Output hash */
> for (i = 0; i < 5; i++)
> - put_be32(hashout + i * 4, ctx->H[i]);
> + put_be32(hashout + i * 4, ctx->H[i] & mask_bits[i]);
> }
> Build that and make it available as git.broken, and then feed your repo
> into it, like:
>
> git init --bare fake.git
> git fast-export HEAD | git.broken -C fake.git fast-import
>
> at which point you have an alternate-universe version of the repository,
> which you can operate on as usual with your git.broken tool.
>
> And then you can come up with collisions via brute force:
>
> # hack to convince hash-object to do lots of sha1s in a single
> # invocation
> N=300000
> for i in $(seq $N); do
> echo $i >$i
> done
> seq 300000 | git.broken hash-object --stdin-paths >hashes
>
> for collision in $(sort hashes | uniq -d); do
> grep -n $collision hashes
> done
>
> The result is that "33713\n" and "170653\n" collide. So you can now add
> those to your fake.git repository and watch the chaos ensue.
>
> -Peff
prev parent reply other threads:[~2017-02-27 12:41 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-23 16:43 SHA1 collisions found Joey Hess
2017-02-23 17:00 ` David Lang
2017-02-23 17:02 ` Junio C Hamano
2017-02-23 17:12 ` David Lang
2017-02-23 20:49 ` Jakub Narębski
2017-02-23 20:57 ` Jeff King
2017-02-23 17:18 ` Junio C Hamano
2017-02-23 17:35 ` Joey Hess
2017-02-23 17:52 ` Linus Torvalds
2017-02-23 18:21 ` Joey Hess
2017-02-23 18:31 ` Joey Hess
2017-02-23 19:13 ` Morten Welinder
2017-02-24 15:52 ` Geert Uytterhoeven
2017-02-23 18:40 ` Linus Torvalds
2017-02-23 18:46 ` Jeff King
2017-02-23 19:09 ` Linus Torvalds
2017-02-23 19:32 ` Jeff King
2017-02-23 19:47 ` Linus Torvalds
2017-02-23 19:57 ` Jeff King
[not found] ` <alpine.LFD.2.20.1702231428540.30435@i7.lan>
2017-02-23 22:43 ` Jeff King
2017-02-23 22:50 ` Linus Torvalds
2017-02-23 23:05 ` Jeff King
2017-02-23 23:05 ` [PATCH 1/3] add collision-detecting sha1 implementation Jeff King
2017-02-23 23:15 ` Stefan Beller
2017-02-24 0:01 ` Jeff King
2017-02-24 0:12 ` Linus Torvalds
2017-02-24 0:16 ` Jeff King
2017-02-23 23:05 ` [PATCH 2/3] sha1dc: adjust header includes for git Jeff King
2017-02-23 23:06 ` [PATCH 3/3] Makefile: add USE_SHA1DC knob Jeff King
2017-02-24 18:36 ` HW42
2017-02-24 18:57 ` Jeff King
2017-02-23 23:14 ` SHA1 collisions found Linus Torvalds
2017-02-28 18:41 ` Junio C Hamano
2017-02-28 19:07 ` Junio C Hamano
2017-02-28 19:20 ` Jeff King
2017-03-01 8:57 ` Dan Shumow
2017-02-28 19:34 ` Linus Torvalds
2017-02-28 19:52 ` Shawn Pearce
2017-02-28 22:56 ` Linus Torvalds
2017-02-28 21:22 ` Dan Shumow
2017-02-28 22:50 ` Marc Stevens
2017-02-28 23:11 ` Linus Torvalds
2017-03-01 19:05 ` Jeff King
2017-02-23 20:47 ` Øyvind A. Holm
2017-02-23 20:46 ` Joey Hess
2017-02-23 18:42 ` Jeff King
2017-02-23 17:52 ` David Lang
2017-02-23 19:20 ` David Lang
2017-02-23 17:19 ` Linus Torvalds
2017-02-23 17:29 ` Linus Torvalds
2017-02-23 18:10 ` Joey Hess
2017-02-23 18:29 ` Linus Torvalds
2017-02-23 18:38 ` Junio C Hamano
2017-02-24 9:42 ` Duy Nguyen
2017-02-25 19:04 ` brian m. carlson
2017-02-27 13:29 ` René Scharfe
2017-02-28 13:25 ` brian m. carlson
2017-02-24 15:13 ` Ian Jackson
2017-02-24 17:04 ` ankostis
2017-02-24 17:23 ` Jason Cooper
2017-02-25 23:22 ` ankostis
2017-02-24 17:32 ` Junio C Hamano
2017-02-24 17:45 ` David Lang
2017-02-24 18:14 ` Junio C Hamano
2017-02-24 18:58 ` Stefan Beller
2017-02-24 19:20 ` Junio C Hamano
2017-02-24 20:05 ` ankostis
2017-02-24 20:32 ` Junio C Hamano
2017-02-25 0:31 ` ankostis
2017-02-26 0:16 ` Jason Cooper
2017-02-26 17:38 ` brian m. carlson
2017-02-26 19:11 ` Linus Torvalds
2017-02-26 21:38 ` Ævar Arnfjörð Bjarmason
2017-02-26 21:52 ` Jeff King
2017-02-27 13:00 ` Transition plan for git to move to a new hash function Ian Jackson
2017-02-27 14:37 ` Why BLAKE2? Markus Trippelsdorf
2017-02-27 15:42 ` Ian Jackson
2017-02-27 19:26 ` Transition plan for git to move to a new hash function Tony Finch
2017-02-28 21:47 ` brian m. carlson
2017-03-02 18:13 ` Ian Jackson
2017-03-04 22:49 ` brian m. carlson
2017-03-05 13:45 ` Ian Jackson
2017-03-05 23:45 ` brian m. carlson
2017-02-24 20:05 ` SHA1 collisions found Junio C Hamano
2017-02-24 20:33 ` Philip Oakley
2017-02-24 23:39 ` Jeff King
2017-02-25 0:39 ` Linus Torvalds
2017-02-25 0:54 ` Linus Torvalds
2017-02-25 1:16 ` Jeff King
2017-02-26 18:55 ` Junio C Hamano
2017-02-25 6:10 ` Junio C Hamano
2017-02-26 1:13 ` Jason Cooper
2017-02-26 5:18 ` Jeff King
2017-02-26 18:30 ` brian m. carlson
2017-03-02 21:46 ` Brandon Williams
2017-03-03 11:13 ` Jeff King
2017-03-03 14:54 ` Ian Jackson
2017-03-03 22:18 ` Jeff King
2017-03-02 19:55 ` Linus Torvalds
2017-03-02 20:43 ` Junio C Hamano
2017-03-02 21:21 ` Linus Torvalds
2017-03-02 21:54 ` Joey Hess
2017-03-02 22:27 ` Linus Torvalds
2017-03-03 1:50 ` Mike Hommey
2017-03-03 2:19 ` Linus Torvalds
2017-03-03 11:04 ` Jeff King
2017-03-03 21:47 ` Stefan Beller
2017-02-25 1:00 ` David Lang
2017-02-25 1:15 ` Stefan Beller
2017-02-25 1:21 ` Jeff King
2017-02-25 1:39 ` David Lang
2017-02-25 1:47 ` Jeff King
2017-02-25 1:56 ` David Lang
2017-02-25 2:28 ` Jacob Keller
2017-02-25 2:26 ` Jacob Keller
2017-02-25 5:39 ` grarpamp
2017-02-24 23:43 ` Ian Jackson
2017-02-25 0:06 ` Ian Jackson
2017-02-25 18:50 ` brian m. carlson
2017-02-25 19:26 ` Jeff King
2017-02-25 22:09 ` Mike Hommey
2017-02-26 17:38 ` brian m. carlson
2017-02-24 22:47 ` Jakub Narębski
2017-02-24 22:53 ` Santiago Torres
2017-02-24 23:05 ` Jakub Narębski
2017-02-24 23:24 ` Øyvind A. Holm
2017-02-24 23:06 ` Jeff King
2017-02-24 23:35 ` Jakub Narębski
2017-02-25 22:35 ` Lars Schneider
2017-02-26 0:46 ` Jeff King
2017-02-26 18:22 ` Junio C Hamano
2017-02-26 18:57 ` Thomas Braun
2017-02-26 21:30 ` Jeff King
2017-02-27 9:57 ` Geert Uytterhoeven
2017-02-27 10:43 ` Jeff King
2017-02-27 12:39 ` Morten Welinder [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANv4PNm4v7-m=UFUtFutdi2JkV7biV68hAaP=AFOYnz9J37VTw@mail.gmail.com' \
--to=mwelinder@gmail.com \
--cc=geert@linux-m68k.org \
--cc=git@vger.kernel.org \
--cc=id@joeyh.name \
--cc=jnareb@gmail.com \
--cc=peff@peff.net \
--cc=thomas.braun@virtuell-zuhause.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).