From: Jeff King <peff@peff.net>
To: git@vger.kernel.org,
Patrick Schleizer <patrick-mailinglists@whonix.org>,
whonix-devel@whonix.org, mikegerwitz@gnu.org
Subject: Re: How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
Date: Sat, 22 Nov 2014 14:48:42 -0500 [thread overview]
Message-ID: <20141122194841.GA13665@peff.net> (raw)
In-Reply-To: <1B02B87E88254A4A95EE138C9D2C4B8B@black>
On Fri, Nov 21, 2014 at 06:32:46PM -0500, Jason Pyeron wrote:
> The whole issue is a lot better than this makes it sound. Yes it is
> just a SHA1 hash, but it is a hash of a structured data format.
>
> You have very observable parts of that well structured data providede to the hash.
Yeah, I glossed over that because I don't know enough about the specific
attacks. In the worst case, you have a binary file format that lets
people stick arbitrary bits of data in the middle (like the MD5 attacks
on Postscript and PDF files), and you do the collision on the blobs.
But even with that, the sha1s are taken over "blob <n>\0<content>" where
<n> is the number of bytes of <content>. Depending on the exact scheme
for generating probable collisions is less than brute force time, even
that amount of structure may prove problematic. I don't know whether
that is the case for the best-known attacks or not (remember that nobody
has _actually_ generated a sha-1 collision at all yet).
-Peff
next prev parent reply other threads:[~2014-11-22 19:48 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-16 15:31 How safe are signed git tags? Only as safe as SHA-1 or somehow safer? Patrick Schleizer
2014-11-17 21:26 ` Jeff King
2014-11-21 23:01 ` Patrick Schleizer
2014-11-21 23:32 ` Jason Pyeron
2014-11-22 19:48 ` Jeff King [this message]
2014-11-22 19:43 ` Jeff King
2014-11-25 12:59 ` Fedor Brunner
2014-11-24 1:23 ` Duy Nguyen
2014-11-24 10:15 ` Michael J Gruber
2014-11-24 11:44 ` Duy Nguyen
2014-11-25 10:41 ` Duy Nguyen
2014-11-24 15:51 ` Jeff King
2014-11-24 18:14 ` Nico Williams
2014-11-25 1:16 ` Duy Nguyen
2014-11-25 1:23 ` Jonathan Nieder
2014-11-25 1:52 ` Duy Nguyen
2014-11-25 3:40 ` Stefan Beller
2014-11-25 3:47 ` Jeff King
2014-11-25 10:55 ` Duy Nguyen
2014-11-25 17:23 ` Junio C Hamano
2014-11-25 11:07 ` brian m. carlson
-- strict thread matches above, loose matches on Subject: below --
2014-11-24 0:52 bancfc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141122194841.GA13665@peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=mikegerwitz@gnu.org \
--cc=patrick-mailinglists@whonix.org \
--cc=whonix-devel@whonix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).