SHA-1 and changeset signatures

Chad Netzer cnetzer at comcast.net
Fri Aug 26 17:54:43 CDT 2005


On Fri, 2005-08-26 at 15:16 -0700, Eric Hopper wrote:

> The attack is real.  I've personally downloaded two different .ps files
> that were completely different documents, but had the same hash.  They
> stuffed in the necessary arbitrary stuff in a 30-60 some odd bytes of
> comment in each .ps file.

If those .ps files are not sensitive (ie. containing personal data,
etc.), I'd certainly love to see them.  Are you saying they had the same
md5sum, or the same sha1sum (or something else)?  If the comment data
was not gibberish, and it was a sha1sum, you may be describing a
pre-image attack on a well-regarded cryptographic hash function; quite a
powerful statement indeed.

Seriously, let me know if I could examine those files; if so, could
please you email them to me?  Many thanks in advance.

Chad




More information about the Mercurial mailing list