SHA-1 and changeset signatures
Benoit Boissinot
bboissin at gmail.com
Fri Aug 26 17:57:21 CDT 2005
On 8/27/05, Chad Netzer <cnetzer at comcast.net> wrote:
> On Fri, 2005-08-26 at 15:16 -0700, Eric Hopper wrote:
>
> > The attack is real. I've personally downloaded two different .ps files
> > that were completely different documents, but had the same hash. They
> > stuffed in the necessary arbitrary stuff in a 30-60 some odd bytes of
> > comment in each .ps file.
>
> If those .ps files are not sensitive (ie. containing personal data,
> etc.), I'd certainly love to see them. Are you saying they had the same
> md5sum, or the same sha1sum (or something else)? If the comment data
> was not gibberish, and it was a sha1sum, you may be describing a
> pre-image attack on a well-regarded cryptographic hash function; quite a
> powerful statement indeed.
>
> Seriously, let me know if I could examine those files; if so, could
> please you email them to me? Many thanks in advance.
>
> Chad
>
it is on the links that was posted:
http://www.cits.rub.de/MD5Collisions/
regards,
Benoit
More information about the Mercurial
mailing list