Re: About git and the use of SHA-1

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Andreas Ericsson

Subject: Re: About git and the use of SHA-1

Date: Tuesday, April 29, 2008 - 5:27 am

Sverre Rabbelier wrote:
quoted text> On Tue, Apr 29, 2008 at 9:21 AM, Andreas Ericsson <ae@op5.se> wrote:
>> Russ Dill wrote:
>>  If the server is hacked and objects are replaced, they will either
>>  no longer match their cryptographic signature, meaning they'll be
>>  new objects or git will determine that they are corrupt, or they
> 
> We were assuming here that once SHA-1 is broken really determined
> hackers will be able to come up with objects that -do- match the
> SHA-1, so the above is not relevant.
> 
>>  *will* match an existing object, but then that object won't be
>>  propagated to other repositories since git refuses to overwrite
>>  already existing objects. [...]
> 
> What about new users cloning the repo? They're just out of luck?

Only until someone who's already cloned the repository fetches
from it, at which point the collision will be detected.

quoted text> I
> don't think this argument holds, if we want to 'advertise' that git is
> cryptographically secure we can do so only as long as our hashing
> algorithm is. (As such, should SHA-1 ever be fully broken we'd need to
> either switch to another algorithm or stop advertising being
> cryptographically secure.)
> 

True. So far though, the only attacks that have been successful requires
that the attacker is allowed to create both the colliding data-sets,
and so far none has been found that would allow the attacker to follow
any kind of syntactical rules what so ever, so from a practical point
of view, SHA1 is 100% secure *for sourcecode*.

From a theoretical point of view, no hash is 100% secure, so changing
algorithm buys us nothing.

Besides, "cryprographically secure" is not the same as "will never ever
be broken", because all hashes are obviously susceptible to brute-force
attacks. "Cryptographically secure" means, insofar as I've understood it
that given a source-file and a key, it would take such an extremely
long time to find a different data-set that hashes to the same key that
the result is unusable because the original source is obsolete.

That is why legal documents are always signed with the "most secure"
(or rather, "least insecure") of all available hashes. For our
purposes, SHA1 suffices until someone comes up with a relatively
trivial way of creating a collision within the parameters above.

quoted text>>  [...] Either way, gits refusal to overwrite
>>  objects it already has plays a part in making malicious actions
>>  futile, since malicious code is only worth something if it's
>>  propagated and actually used.
> 
> Of course this is true, it makes it a lot harder to do damage, but it
> doesn't eliminate the problem, it's just a free 'extra protection'.
> Yes, malicious code is only worth something if it's propagated and
> actually used, no, it is not impossible to do so in git if/when SHA-1
> turns out to have collisions every other file.
> 

Points of fact so far:
* It possible to create objects with colliding names (SHA1 hash keys).
  This holds true whichever algorithm we use, although it will be more
  difficult with a stronger algorithm.
* It is impossible to distribute the colliding content to already cloned
  repositories. This also holds true for all hash algorithms.

I've been arguing that the value of the first point is so greatly
diminished by the second, that even if SHA1 turns out to be horribly
broken, projects using git will still have a decent protection against
malicious code entering the repository without the knowledge of one of
the authors.

You've been arguing that SHA1 is not theoretically secure, which is
obviously true since no hash is theoretically secure.

I can think of one way to make git a lot more resilient to hash
collisions, regardless of which hash is used, namely: Add the length
of the hashed object to the hash.

In order for an evil-minded hacker to succeed in doing any real harm,
he/she now has to create a conflicting file which is valid for its
type (be it C, PHP, JPEG, AVI, PDF or whatever) and is also the same
length as the original source, without being allowed to create the
original object.

-- 
Andreas Ericsson                   andreas.ericsson@op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

About git and the use of SHA-1, Henrik Austad, (Mon Apr 28, 9:29 am)

Re: About git and the use of SHA-1, Daniel Barkalow, (Mon Apr 28, 12:34 pm)

Re: About git and the use of SHA-1, Henrik Austad, (Mon Apr 28, 2:29 pm)

Re: About git and the use of SHA-1, Daniel Barkalow, (Mon Apr 28, 3:15 pm)

Re: About git and the use of SHA-1, Andreas Ericsson, (Mon Apr 28, 11:38 pm)

Re: About git and the use of SHA-1, Russ Dill, (Tue Apr 29, 12:09 am)

Re: About git and the use of SHA-1, Andreas Ericsson, (Tue Apr 29, 12:21 am)

Re: About git and the use of SHA-1, Sverre Rabbelier, (Tue Apr 29, 4:05 am)

Re: About git and the use of SHA-1, Andreas Ericsson, (Tue Apr 29, 5:27 am)

Re: About git and the use of SHA-1, Dmitry Potapov, (Tue Apr 29, 5:41 am)

Re: About git and the use of SHA-1, Jurko Gospodnetić, (Tue Apr 29, 5:46 am)

Re: About git and the use of SHA-1, Paolo Bonzini, (Tue Apr 29, 6:05 am)

Re: About git and the use of SHA-1, Andreas Ericsson, (Tue Apr 29, 7:37 am)

Re: About git and the use of SHA-1, Andreas Ericsson, (Tue Apr 29, 7:41 am)

Re: About git and the use of SHA-1, Paolo Bonzini, (Tue Apr 29, 7:52 am)

Re: About git and the use of SHA-1, Tom Widmer, (Tue Apr 29, 8:02 am)

Re: About git and the use of SHA-1, Geoffrey Irving, (Tue Apr 29, 8:34 am)

Re: About git and the use of SHA-1, Nicolas Pitre, (Tue Apr 29, 8:42 am)

Re: About git and the use of SHA-1, Geoffrey Irving, (Tue Apr 29, 8:59 am)

Re: About git and the use of SHA-1, Russ Dill, (Tue Apr 29, 9:21 am)

Re: About git and the use of SHA-1, Russ Dill, (Tue Apr 29, 9:24 am)

Re: About git and the use of SHA-1, Daniel Barkalow, (Tue Apr 29, 9:27 am)

Re: About git and the use of SHA-1, Nicolas Pitre, (Tue Apr 29, 9:39 am)

Re: About git and the use of SHA-1, Tom Widmer, (Tue Apr 29, 10:08 am)

Re: About git and the use of SHA-1, Geoffrey Irving, (Tue Apr 29, 10:48 am)

Re: About git and the use of SHA-1, Nicolas Pitre, (Tue Apr 29, 10:55 am)

Re: About git and the use of SHA-1, Geoffrey Irving, (Tue Apr 29, 11:02 am)

Re: About git and the use of SHA-1, Matthieu Moy, (Tue Apr 29, 11:17 am)

Re: About git and the use of SHA-1, Fredrik Skolmli, (Tue Apr 29, 11:23 am)

Re: About git and the use of SHA-1, Daniel Barkalow, (Tue Apr 29, 11:41 am)

Re: About git and the use of SHA-1, Geoffrey Irving, (Tue Apr 29, 1:31 pm)

Re: About git and the use of SHA-1, Fredrik Skolmli, (Tue Apr 29, 1:50 pm)

Re: About git and the use of SHA-1, Geoffrey Irving, (Tue Apr 29, 2:39 pm)

Re: About git and the use of SHA-1, Fredrik Skolmli, (Tue Apr 29, 2:52 pm)

Re: About git and the use of SHA-1, Martin Langhoff, (Tue Apr 29, 7:58 pm)

Re: About git and the use of SHA-1, Geoffrey Irving, (Tue Apr 29, 10:18 pm)

Re: About git and the use of SHA-1, David Brown, (Tue Apr 29, 10:47 pm)

Re: About git and the use of SHA-1, Martin Langhoff, (Tue Apr 29, 10:56 pm)


linux-kernel:
Mel Gorman	Re: [PATCH 1/4] vmstat: remove zone->lock from walk_zones_in_node
Guenter Roeck	Re: [lm-sensors] Location for thermal drivers
David Woodhouse	Re: RFC: Moving firmware blobs out of the kernel.
Siddha, Suresh B	Re: [PATCH 2.6.21 review I] [11/25] x86: default to physical mode on hotplug CPU k...
Peter Zijlstra	Re: [patch 4/6] mm: merge populate and nopage into fault (fixes nonlinear)
git-commits-head:
Linux Kernel Mailing List	[MIPS] Fix potential latency problem due to non-atomic cpu_wait.
Linux Kernel Mailing List	USB: rename USB_SPEED_VARIABLE to USB_SPEED_WIRELESS
Linux Kernel Mailing List	lib/vsprintf.c: fix bug omitting minus sign of numbers (module_param)
Linux Kernel Mailing List	[Bluetooth] Initiate authentication during connection establishment
Linux Kernel Mailing List	[POWERPC] 4xx: Add ppc40x_defconfig
linux-netdev:
MERCEDES	Your mail id has won 950,000.00 in the MERCEDES Benz Online Promo.for claims send:
David Miller	Re: [PATCH] xen/netfront: do not mark packets of length < MSS as GSO
David Miller	Re: skb_segment() questions
Shan Wei	[RFC PATCH net-next 2/5]IPv6:netfilter: Send an ICMPv6 "Fragment Reassembly Timeou...
Stanislaw Gruszka	[PATCH 1/4] bnx2x: use smp_mb() to keep ordering of read write operations
git:
Nicolas Sebrecht	git-svn died of signal 11 (was "3 failures on test t9100 (svn)")
Junio C Hamano	Re: [PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
Martin Langhoff	Re: [PATCH] GIT commit statistics.
Alexandre Julliard	[PATCH] gitweb: Put back shortlog instead of graphiclog in the project list.
Josh Triplett	[PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
openbsd-misc:
Taisto Qvist XX	Re: AMD GEODE LX-800 just works with kernel from install42.iso and kernelpanics wi...
Nico Meijer	Re: gOS Develop Kit with VIA pc-1 Processor Platform VIA C7-D
Andreas Bihlmaier	Re: jetway board sensors (Fintek F71805F)
admin	Drive a 2009 car from R799p/m
Antti Harri	Re: how to create a sha256 hash