SHA-1 and changeset signatures
Chad Netzer
cnetzer at comcast.net
Fri Aug 26 17:47:54 CDT 2005
On Fri, 2005-08-26 at 14:40 -0700, Matt Mackall wrote:
> Let's assume you could insert meaningless blob X as file F into a repo
> in such a way that it was innocuous and unsuspicious.
>
> Now you've got to insert meaningless blob Y in X's place in such a way
> that it actually does something useful.
Technically, I think it to be true that if you find two inputs with
lengths that are 512 bit multiples, and which have the same hash value,
you could prepend them to a given message, and come up with more hash
collisions (because SHA processes in 512 bit chunks with no overlap, and
adds the result of each chunk)
So, for a hash function H():
if H(X) == H(Y), and X and Y are multiples of 512 bits, then
for a given message G, where X + G is X prepended to G:
H(X + G) == H(Y + G)
And I think there may be other cases like this, although I consider this
basically a degenerate case. So, if you do come up with blobs X and Y,
by placing them in specific locations you may make this attack
"feasible" (but still very unpractical, IMO. I'm not too worried.
I think the real reason to migrate (at some point) to another crypto
hash, really has more to do with people's perceptions of cyptography,
etc. It simply may become a requirement to be using a 'better' hash or
else paranoid people, companies, etc. will refuse to adopt software
still using SHA-1, regardless of the actual security issues.
But as I said before, if you can't trust the code committers (or review
the code from unknown contributers), hash-collisions are the least of
your worries.
Chad
More information about the Mercurial
mailing list