From: Tim Ruffing <tim.ruffing@mmci•uni-saarland.de>
To: bitcoin-dev@lists•linuxfoundation.org
Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers
Date: Fri, 24 Feb 2017 11:04:54 +0100 [thread overview]
Message-ID: <1487930694.1528.1.camel@mmci.uni-saarland.de> (raw)
In-Reply-To: <76fa5d76-6c54-e13e-7b55-a4409ef536f5@gmail.com>
On Fri, 2017-02-24 at 00:57 +0100, Aymeric Vitte via bitcoin-dev wrote:
>
> I have not worked on this since some time, so that's just thoughts,
> but maybe it can render things much more difficult
> than computing two files until the same hash is found
>
You basically rely on the idea that specific collisions are more
difficult to find. This trick or similar tricks will not help. (And
actually, the more files you add to the hash, the more freedom you give
the attacker.)
Even if certain collisions are more difficult to find today (which is
certainly true), the general rule is that someone will prove you wrong
in a year.
Even if ignore security entirely, switching to new hash function is
much simpler trying to fix the usage of a broken hash function.
Relying on SHA1 is hopeless. We have to get rid of it.
Best,
Tim
next prev parent reply other threads:[~2017-02-24 10:13 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-23 18:14 Peter Todd
2017-02-23 21:28 ` Peter Todd
2017-02-23 23:57 ` Aymeric Vitte
2017-02-24 10:04 ` Tim Ruffing [this message]
2017-02-24 15:18 ` Aymeric Vitte
2017-02-24 16:30 ` Tim Ruffing
2017-02-24 17:29 ` Aymeric Vitte
[not found] <mailman.22137.1487974823.31141.bitcoin-dev@lists.linuxfoundation.org>
2017-02-24 23:49 ` Steve Davis
2017-02-25 1:01 ` Peter Todd
2017-02-25 12:04 ` Steve Davis
2017-02-25 14:50 ` Leandro Coutinho
2017-02-25 16:10 ` Ethan Heilman
2017-02-25 17:45 ` Shin'ichiro Matsuo
2017-02-27 9:15 ` Henning Kopp
2017-02-25 18:19 ` Alice Wonder
2017-02-25 18:36 ` Ethan Heilman
2017-02-25 19:12 ` Peter Todd
2017-02-25 20:42 ` Watson Ladd
2017-02-25 20:57 ` Peter Todd
2017-02-25 20:53 ` Russell O'Connor
2017-02-25 21:04 ` Peter Todd
2017-02-25 21:21 ` Dave Scotese
2017-02-25 21:34 ` Steve Davis
2017-02-25 21:40 ` Peter Todd
2017-02-25 21:54 ` Steve Davis
2017-02-25 22:14 ` Pieter Wuille
2017-02-25 22:34 ` Ethan Heilman
2017-02-26 6:26 ` Steve Davis
2017-02-26 6:36 ` Pieter Wuille
2017-02-26 7:16 ` Steve Davis
[not found] ` <CAPg+sBirowtHqUT5GUJf9hmDEACKVX19HAon-rrz7GmO8OBsNg@mail.gmail.com>
2017-02-26 16:53 ` Steve Davis
2017-02-25 23:09 ` Leandro Coutinho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1487930694.1528.1.camel@mmci.uni-saarland.de \
--to=tim.ruffing@mmci$(echo .)uni-saarland.de \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox