All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: "Git ML" <git@vger.kernel.org>
Cc: Jeff King <peff@peff.net>, Marc Stevens <marc@marc-stevens.nl>,
	gaetan.leurent@inria.fr, thomas.peyrin@ntu.edu.sg,
	Dan Shumow <shumow@gmail.com>,
	"brian m . carlson" <sandals@crustytoothpaste.net>,
	Junio C Hamano <gitster@pobox.com>,
	Jonathan Nieder <jrnieder@gmail.com>,
	Eric Sunshine <sunshine@sunshineco.com>
Subject: Git and the new SHA-1 prefix collision attack
Date: Wed, 15 May 2019 14:22:28 +0200	[thread overview]
Message-ID: <875zqbx5yz.fsf@evledraar.gmail.com> (raw)

[CC-list carried forward from the last SHA-1 thread I found]

Thought I'd sent a brief line about this since nobody else did.

There's a newly published "From Collisions to Chosen-Prefix Collisions
Application to Full SHA-1" paper making the news this week which builds
on the SHAttered attack: https://eprint.iacr.org/2019/459.pdf

See https://shattered.io for that original attack.

I asked Marc Stevens on Twitter whether the sha1collisiondetection
library would cover the sorts of collisions generated by the method
described in this paper. He said yes:
https://twitter.com/realhashbreaker/status/1128419029536923649

Not all the details are out on this new attack, in particular the
researchers (CC'd) haven't yet published details[1] on improvements that
would make such an attack cheaper to carry out than the current
state-of-the art, which I understand from Marc's Twitter feed is
something he's skeptical about.

In any case, it looks like the sha1collisiondetection library will save
the day again. Thanks Marc & Dan!

1. https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

                 reply	other threads:[~2019-05-15 12:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875zqbx5yz.fsf@evledraar.gmail.com \
    --to=avarab@gmail.com \
    --cc=gaetan.leurent@inria.fr \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=jrnieder@gmail.com \
    --cc=marc@marc-stevens.nl \
    --cc=peff@peff.net \
    --cc=sandals@crustytoothpaste.net \
    --cc=shumow@gmail.com \
    --cc=sunshine@sunshineco.com \
    --cc=thomas.peyrin@ntu.edu.sg \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.