[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#25999: SHA1SUM: please switch to sha1dc to warn of attempted hash co
|
From: |
Pádraig Brady |
|
Subject: |
bug#25999: SHA1SUM: please switch to sha1dc to warn of attempted hash collision attacks |
|
Date: |
Mon, 6 Mar 2017 20:45:11 -0800 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 |
On 06/03/17 07:16, Henrique de Moraes Holschuh wrote:
> This is a feature request, in light of the "shattered" attack against
> SHA-1[1] published by Google.
>
> A drop-in replacement for sha1 exists, based on the concept of
> counter-cryptanalysis[2]. This drop-in replacement can detect when the
> SHA-1 hash hits the weakened internal states used by the shattered
> attack. Optionally, it can also negate the
> collision-resistance-weakening effect of the "shattered" attack.
>
> This "hardened sha1" drop-in replacement is called sha1dc (for collision
> detection), and an implementation can be found at:
>
> https://github.com/cr-marcstevens/sha1collisiondetection
>
> The license for the sha1-dc library is MIT. Other noteworthy users of
> sha1dc are the git scm, which will use it to _detect_ objects weakened
> for easier collisions, and refuse such objects. This new version of git
> has not been released yet at the time I am writing this bug report, but
> the relevant patches are already in git's "pu" branch.
>
> It would be nice if coreutils' sha1sum would use sha1dc, and report
> (either as a warning, or as an error) when an attempt at generating SHA1
> collisions is detected.
>
> Note that this feature request is not for sha1sum to switch to the
> hardened "safe version" of sha1dc that defuses the collision attempts,
> but rather that sha1dc be used to detect and warn the user about the
> specially crafted input data that makes the "shattered" attack feasible.
>
> I have no strong opinions on whether sha1sum should abort or just warn
> when an attempted collision is detected. I also have no strong opinions
> whether it should use "safe mode" or not, as long as it *does* warn the
> user when an attempted collision is detected... only, I feel "safe mode"
> behavior should be optional (I have no strong opinions on whether it
> should be enabled by default or not).
>
> [1] https://shattered.it/
> [2] http://eprint.iacr.org/2017/173/20170228:105224
>
Interesting.
I agree the "safe version" is less interesting as one
can use sha3 or blake2 with the same length as sha1,
for about the same compatibility but greater protection.
As for detection, I suppose we should by default
enable this with sha1sum --check, because:
- sha1sum should be as safe as possible by default
- we don't care that much about sha1 perf since it's deprecated
- false positive probability is smaller than 2^-90
I wonder is there similar analysis possible with md5sum?
As for licensing, we could probably integrate it as
we do already for src/blake2/
thanks,
Pádraig