Re: Possible vulnerability to SHA-1 collisions

[Jeff King <peff@peff.net>]

On Tue, Nov 27, 2012 at 06:30:17PM -0500, Aaron Schrab wrote:

> At 18:07 -0500 27 Nov 2012, Jeff King <peff@peff.net> wrote:
> >PS I also think the OP's "sockpuppet creates innocuous bugfix" above is
> >  easier said than done. We do not have SHA-1 collisions yet, but if
> >  the md5 attacks are any indication, the innocuous file will not be
> >  completely clean; it will need to have some embedded binary goo that
> >  is mutated randomly during the collision process (which is why the
> >  md5 attacks were demonstrated with postscript files which _rendered_
> >  to look good, but contained a chunk of random bytes in a spot ignored
> >  by the postscript interpreter).
> 
> I don't think that really saves us though.  Many formats have parts
> of the file which will be ignored, such as comments in source code.

Agreed, it does not save us unconditionally. It just makes it harder to
execute the attack. Would you take a patch from a stranger that had a
kilobyte of binary garbage in a comment?

A more likely avenue would be a true binary file where nobody is
expected to read the diff.

> With the suggested type of attack, there isn't a requirement about
> which version of the file is modified.  So the attacker should be
> able to generate a version of a file with an innocuous change, get
> the SHA-1 for that, then add garbage comments to their malicious
> version of the file to try to get the same SHA-1.

That's not how birthday collision attacks usually work, though. You do
not get to just mutate the malicious side and leave the innocuous side
untouched. You are mutating both sides over and over and hoping to find
a matching sha1 from the "good" and "evil" sides.

Of course, I have not been keeping up too closely with the efforts to
break sha-1. Maybe there is something more nefarious about the current
attacks. I am just going off my recollection of the md5 collision
attacks.

-Peff