bug#25999: SHA1SUM: please switch to sha1dc to warn of attempted hash collision attacks

[Henrique de Moraes Holschuh]

This is a feature request, in light of the "shattered" attack against
SHA-1[1] published by Google.

A drop-in replacement for sha1 exists, based on the concept of
counter-cryptanalysis[2].  This drop-in replacement can detect when the
SHA-1 hash hits the weakened internal states used by the shattered
attack.  Optionally, it can also negate the
collision-resistance-weakening effect of the "shattered" attack.

This "hardened sha1" drop-in replacement is called sha1dc (for collision
detection), and an implementation can be found at:

https://github.com/cr-marcstevens/sha1collisiondetection

The license for the sha1-dc library is MIT.   Other noteworthy users of
sha1dc are the git scm, which will use it to _detect_ objects weakened
for easier collisions, and refuse such objects.  This new version of git
has not been released yet at the time I am writing this bug report, but
the relevant patches are already in git's "pu" branch.

It would be nice if coreutils' sha1sum would use sha1dc, and report
(either as a warning, or as an error) when an attempt at generating SHA1
collisions is detected.

Note that this feature request is not for sha1sum to switch to the
hardened "safe version" of sha1dc that defuses the collision attempts,
but rather that sha1dc be used to detect and warn the user about the
specially crafted input data that makes the "shattered" attack feasible.

I have no strong opinions on whether sha1sum should abort or just warn
when an attempted collision is detected.  I also have no strong opinions
whether it should use "safe mode" or not, as long as it *does* warn the
user when an attempted collision is detected... only, I feel "safe mode"
behavior should be optional (I have no strong opinions on whether it
should be enabled by default or not).

[1] https://shattered.it/
[2] http://eprint.iacr.org/2017/173/20170228:105224

-- 
  Henrique de Moraes Holschuh <address@hidden>