From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Duy Nguyen <pclouds@gmail.com>
Cc: Herczeg Zsolt <zsolt94@gmail.com>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Theodore Ts'o <tytso@mit.edu>,
Git Mailing List <git@vger.kernel.org>
Subject: Re: Git and SHA-1 security (again)
Date: Tue, 19 Jul 2016 09:18:50 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.20.1607190910370.3472@virtualbox> (raw)
In-Reply-To: <CACsJy8Ba=c+-WV2TsY768_fTDO2KesS1b6BK7kdykNY6gkh=UQ@mail.gmail.com>
Hi Duy,
On Mon, 18 Jul 2016, Duy Nguyen wrote:
> On Mon, Jul 18, 2016 at 5:57 PM, Johannes Schindelin
> <Johannes.Schindelin@gmx.de> wrote:
> >
> > On Mon, 18 Jul 2016, Herczeg Zsolt wrote:
> >
> >> >> I think converting is a much better option. Use a single-hash
> >> >> storage, and convert everything to that on import/clone/pull.
> >> >
> >> > That ignores two very important issues that I already had mentioned:
> >>
> >> That's not true. If you double-check the next part of my message, you I
> >> just showed that an automatic two-way mapping could solve these
> >> problems! (I even give briefs explanation how to handle referencing and
> >> signature verification in those cases.)
> >>
> >> My point is not to throw out old hashes and break signatures. My point
> >> is to convert the data storage, and use mapping to resolve problems
> >> with those old hashes and signatures.
> >
> > If you convert the data storage, then the SHA-1s listed in the commit
> > objects will have to be rewritten, and then the GPG signature will not
> > match anymore.
>
> But we can recreate SHA-1 from the same content and verify GPG, right?
> I know it's super expensive, but it feels safer to not carry SHA-1
> around when it's not secure anymore (I recall something about
> exploiting the weakest link when you have both sha1 and sha256 in the
> object content). Rehashing would be done locally and is better
> controlled.
You could. But how would you determine whether to recreate the commit
object from a SHA-1-ified version of the commit buffer? Fall back if the
original did not match the signature? That would pose at least these two
problems:
1. The point of a signature is trust. If all of a sudden the signature
does not match what is supposedly signed, that trust is broken.
2. The point of going to a stronger hash is to increase the trust. If
any developer could decide to sign the SHA-1-ified version of any future
commit, and Git validating it, it would be even worse than not switching
to a new hash: it would leave us open to collision attacks *and* pretend
that we prevented such attacks.
The more I think about it, the more I am convinced that we have no choice
but allow mixed hashes (i.e. both 160-bit SHA-1 and 256-bit new hash,
whatever we settle on). Otherwise there would be no reliable and
trustworthy upgrade path.
But maybe there is a clever strategy I failed to think of?
Ciao,
Dscho
next prev parent reply other threads:[~2016-07-19 7:19 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-16 13:48 Git and SHA-1 security (again) Herczeg Zsolt
2016-07-16 20:13 ` brian m. carlson
2016-07-16 21:46 ` Herczeg Zsolt
2016-07-16 22:03 ` brian m. carlson
2016-07-17 8:01 ` Johannes Schindelin
2016-07-17 14:21 ` brian m. carlson
2016-07-17 15:19 ` Duy Nguyen
2016-07-17 15:42 ` brian m. carlson
2016-07-17 16:23 ` Theodore Ts'o
2016-07-17 22:04 ` brian m. carlson
[not found] ` <1468804249.2037.0@smtp.gmail.com>
2016-07-18 1:18 ` Fwd: " Herczeg Zsolt
2016-07-18 7:12 ` Johannes Schindelin
2016-07-18 15:09 ` Herczeg Zsolt
2016-07-18 15:57 ` Johannes Schindelin
2016-07-18 16:05 ` Duy Nguyen
2016-07-19 7:18 ` Johannes Schindelin [this message]
2016-07-19 15:31 ` Duy Nguyen
2016-07-19 17:34 ` David Lang
2016-07-19 17:43 ` Duy Nguyen
2016-07-19 17:59 ` David Lang
2016-07-19 18:04 ` Duy Nguyen
2016-07-19 18:58 ` Herczeg Zsolt
2016-07-20 14:48 ` Duy Nguyen
2016-07-20 12:28 ` Johannes Schindelin
2016-07-20 14:44 ` Duy Nguyen
2016-07-20 17:10 ` Stefan Beller
2016-07-20 19:26 ` Junio C Hamano
2016-08-22 22:01 ` Philip Oakley
2016-07-18 16:12 ` Herczeg Zsolt
2016-07-19 7:21 ` Johannes Schindelin
2016-07-18 18:00 ` Junio C Hamano
2016-07-18 21:26 ` Jonathan Nieder
2016-07-18 23:03 ` brian m. carlson
2016-07-21 13:19 ` Johannes Schindelin
2016-07-21 12:53 ` Johannes Schindelin
2016-07-22 15:59 ` Junio C Hamano
2016-07-18 7:00 ` Johannes Schindelin
2016-07-18 22:44 ` brian m. carlson
2016-07-21 14:13 ` Johannes Schindelin
2016-07-18 16:51 ` Duy Nguyen
2016-07-19 7:31 ` Johannes Schindelin
2016-07-19 7:46 ` David Lang
2016-07-19 16:07 ` Duy Nguyen
2016-07-19 17:06 ` Junio C Hamano
2016-07-19 17:27 ` Duy Nguyen
2016-07-19 18:46 ` Junio C Hamano
2016-07-18 16:51 ` Ævar Arnfjörð Bjarmason
2016-07-18 17:48 ` Herczeg Zsolt
2016-07-18 20:01 ` David Lang
2016-07-18 20:02 ` Ævar Arnfjörð Bjarmason
2016-07-18 20:55 ` Junio C Hamano
2016-07-18 21:28 ` Herczeg Zsolt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1607190910370.3472@virtualbox \
--to=johannes.schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=pclouds@gmail.com \
--cc=sandals@crustytoothpaste.net \
--cc=tytso@mit.edu \
--cc=zsolt94@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).