* NIST's policy: sha-1 until 2010, after 2010 sha-2.
@ 2007-12-29 4:27 J.C. Pizarro
2007-12-29 4:45 ` David Symonds
0 siblings, 1 reply; 3+ messages in thread
From: J.C. Pizarro @ 2007-12-29 4:27 UTC (permalink / raw)
To: Linus Torvalds, git
Dear Linus Torvalds,
What do you think to do when your git has to change from SHA-1 to SHA-2
because of the weaker collision-resistance of SHA-1 in the next years?
(e.g. from an damn developer trying to commit a collisioned-SHA-1 file)
http://csrc.nist.gov/groups/ST/hash/policy.html says
NIST's Policy on Hash Functions
-------------------------------
March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should
stop using SHA-1 for digital signatures, digital time stamping and
other applications that require collision resistance as soon as
practical, and must use the SHA-2 family of hash functions for these
applications after 2010. After 2010, Federal agencies may use SHA-1
only for the following applications: hash-based message authentication
codes (HMACs); key derivation functions (KDFs); and random number
generators (RNGs). Regardless of use, NIST encourages application and
protocol designers to use the SHA-2 family of hash functions for all
new applications and protocols.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: NIST's policy: sha-1 until 2010, after 2010 sha-2. 2007-12-29 4:27 NIST's policy: sha-1 until 2010, after 2010 sha-2 J.C. Pizarro @ 2007-12-29 4:45 ` David Symonds 2007-12-29 5:07 ` David Brown 0 siblings, 1 reply; 3+ messages in thread From: David Symonds @ 2007-12-29 4:45 UTC (permalink / raw) To: J.C. Pizarro; +Cc: Linus Torvalds, git On Dec 29, 2007 3:27 PM, J.C. Pizarro <jcpiza@gmail.com> wrote: > Dear Linus Torvalds, > > What do you think to do when your git has to change from SHA-1 to SHA-2 > because of the weaker collision-resistance of SHA-1 in the next years? > > (e.g. from an damn developer trying to commit a collisioned-SHA-1 file) It's a non-issue. The closest-to-practical attack method on SHA-1 is a collision-finding attack, not a second pre-image attack, which means you can find two messages with the same hash. As far as I know, there's no significant weakness known for finding a pre-image, which would be the most practical way of weakening Git's "security" via SHA-1 substitution. Regardless, the use of SHA-1 in Git isn't primarily for security, though it is a nice side-effect. The SHA-1 is there for reliability in addressing and as a good hash. Dave. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: NIST's policy: sha-1 until 2010, after 2010 sha-2. 2007-12-29 4:45 ` David Symonds @ 2007-12-29 5:07 ` David Brown 0 siblings, 0 replies; 3+ messages in thread From: David Brown @ 2007-12-29 5:07 UTC (permalink / raw) To: David Symonds; +Cc: J.C. Pizarro, Linus Torvalds, git On Sat, Dec 29, 2007 at 03:45:35PM +1100, David Symonds wrote: >On Dec 29, 2007 3:27 PM, J.C. Pizarro <jcpiza@gmail.com> wrote: >> Dear Linus Torvalds, >> >> What do you think to do when your git has to change from SHA-1 to SHA-2 >> because of the weaker collision-resistance of SHA-1 in the next years? >> >> (e.g. from an damn developer trying to commit a collisioned-SHA-1 file) > >It's a non-issue. The closest-to-practical attack method on SHA-1 is a >collision-finding attack, not a second pre-image attack, which means >you can find two messages with the same hash. As far as I know, >there's no significant weakness known for finding a pre-image, which >would be the most practical way of weakening Git's "security" via >SHA-1 substitution. <http://en.wikipedia.org/wiki/Birthday_attack> has some good background on the "problem". I suppose when SHA-1 is broken and people can generate arbitrary files with the same hash, it would be possible to use this to make files that were annoying to try and use with Git. Git wouldn't have any problem with normal colliding files, since it hashes the files with a prefix, so the files would have to be generated specifically for git. >Regardless, the use of SHA-1 in Git isn't primarily for security, >though it is a nice side-effect. The SHA-1 is there for reliability in >addressing and as a good hash. Given a method for producing a colliding pair for SHA1, it would be possible to check in a version of a file and later replace it in a repository with the other version without detection. The current pairs for MD5 contain blocks of binary data, so this would be fairly obvious if it got checked into source code. It would also only replace the blob on a compromised machine. Anyone who has already pulled the blob wouldn't download the new one. As far as a collision occurring accidentally, according to the Wiki page (the math looks right), for a 128-bit hash, 820 billion objects would have a 10^(-15) probability of a collision. SHA-1 is 160 bits, so the probability is even lower. The possible (or even likely) breaking of SHA-1 is only for intentional collisions. SHA-1 as a non-colliding hash function should be good for trillions of objects, and that's all in the same repo. It might be worth tossing around ideas for using a larger hash in a fairly long-term future, though. Dave ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-12-29 5:08 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-12-29 4:27 NIST's policy: sha-1 until 2010, after 2010 sha-2 J.C. Pizarro 2007-12-29 4:45 ` David Symonds 2007-12-29 5:07 ` David Brown
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).