SHA-1 and changeset signatures

Eric Hopper hopper at omnifarious.org
Fri Aug 26 16:08:46 CDT 2005


On Fri, Aug 26, 2005 at 10:40:50AM -0700, Matt Mackall wrote:
> But the trouble is that the recently discovered attacks are not
> finding a collisions with the hash of an existing text (a preimage
> attack), but finding one between two random hashes. The existing text
> case is still expected to be well beyond the reach of currently
> available hardware.

Yes, but source code is text someone creates.  So it's possible for
someone to create two sets of source changes (especially as I said if
some of the changes are to binary files) that hash to the same value.

> So there just isn't much that can be done in the way of practical
> exploits against Mercurial with these new attacks.
> 
> Within the next year, we may know more, and have a better idea of
> what's actually worth switching to. For now, practical attacks are a
> ways off.

*nod* Even if the hash function looks most promising generates more than
256 bits of data, it's probably only worth keeping 256 bits anyway.  So
your format change for the repository is fine.

But I do think you should have a byte or two reserved for stating wich
hash algorithm was used for a particular change, and a way of indicating
that in the text change ID as well.  It would be tedious and make people
resist migrating if you had to do a full repository conversion every
time the hash function changed.  That makes Mercurial a little more
vulnerable to downgrade attacks, but that can be addressed by having a
two phase migration where the second phase has it refusing any new
changes that use the old hash function.

Have fun (if at all possible),
-- 
"It does me no injury for my neighbor to say there are twenty gods or no God.
It neither picks my pocket nor breaks my leg."  --- Thomas Jefferson
"Go to Heaven for the climate, Hell for the company."  -- Mark Twain
-- Eric Hopper (hopper at omnifarious.org  http://www.omnifarious.org/~hopper) --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.selenic.com/pipermail/mercurial/attachments/20050826/5b94d2fc/attachment.pgp


More information about the Mercurial mailing list