SHA-1 and changeset signatures

Matt Mackall mpm at selenic.com
Fri Aug 26 18:13:00 CDT 2005


On Fri, Aug 26, 2005 at 03:16:51PM -0700, Eric Hopper wrote:
> On Fri, Aug 26, 2005 at 02:40:38PM -0700, Matt Mackall wrote:
> > I don't think this is correct.
> > 
> > The attack finds two completely arbitrary texts, X and Y, that hash to
> > the same value, with absolutely no control over the content of X or Y.
> > In other words, the end result is two meaningless blobs X and Y.
> 
> The texts do not have to be arbitrary.  Parts of both texts do have to
> be arbitrary, but not the entire text.  And in several common binary
> filetypes (.pdf and .jpg come to mind), there are ways to insert globs
> of garbage that will be completely ignored by the viewer.
> 
> Also, another possible exploit is one that just DoS's Mercurial by
> having two changesets with the same hash.
> 
> The attack is real.  I've personally downloaded two different .ps files
> that were completely different documents, but had the same hash.  They
> stuffed in the necessary arbitrary stuff in a 30-60 some odd bytes of
> comment in each .ps file.

Ok, at http://www.cits.rub.de/MD5Collisions/ I've found two .ps files
that meet this description.

This essentially matches one of the scenarios I described earlier:

The files are identical except for the hash blocks and contain a
Postscript program that decides which message to show based on the
hash. So both versions contain the 'exploit' and the attack is
contingent upon someone signing it anyway.

But it does in fact prove me wrong. I would not expect the average
person to look at the contents of a .ps file, or even to become
suspicious if they saw binary junk in there they didn't understand.

-- 
Mathematics is the supreme nostalgia of our time.


More information about the Mercurial mailing list