1. 18

  2. 3

    Marc Stevens, who has been on the forefront of SHA-1 collisions, seems quite skeptical:

    Their $100K figure is based on as-of-yet undisclosed improvements. History shows many claims of low-cost SHA-1 attacks that have not stood up to peer review. I am very sceptical that their attack costs in total less than the $110K building block (SHAttered) that they use.

    1. 1

      I wonder if this will change Linus’s opinion[0] about sticking with SHA1 for git?

      1. https://marc.info/?l=git&m=148787047422954
      1. 13

        That’s not what that email says though:

        Do we want to migrate to another hash? Yes.

        And if you follow the thread a bit further:

        Again, I’m not arguing that people shouldn’t work on extending git to a new (and bigger) hash. I think that’s a no-brainer, and we do want to have a path to eventually move towards SHA3-256 or whatever.

        But I’m very definitely arguing that the current attack doesn’t actually sound like it really even matters, because it should be so easy to mitigate against.

        1. 2

          In addition to @arp242’s comment, it’s worth noting that email is old. Work for moving to a new hash has been underway for some time now – see brian m. carlson’s talk at Git Merge.

        2. 1

          Can someone please link a source for this that doesn’t ask my web browser for a location and whatever other nonsense? :-/ I’m on the road and going through lynx or whatever isn’t currently practical.

          1. 4

            Here is the link to the actual paper. https://eprint.iacr.org/2019/459.pdf

            1. 1

              Thank you! ♥

            2. 1

              Loads fine for me on firefox mobile with noscript fyi

            3. 1

              I am an amateur, so maybe someone knowledgeable can chime in on this:

              Is there any value or additional security in using several insecure hashing algorithms together?

              For example, if I provide both a SHA1 hash and an MD5 hash for a file, how much more difficult is it to create a collision that satisfies both?

              1. 4

                My knowledge of this is also VERY vague but I think it’s something like, given two algorithms A and B, if you use them both in conjunction the cost of breaking them both is cost(A)+cost(B), whereas an algorithm C can give far better results with the same amount of data. If you had two algorithms that were just as good as SHA1 and produced two 160-bit hashes for a file, it would be 320 bits total and the cost of breaking them both would be 2 * cost_of_breaking_sha1. But if you used a single SHA256 hash (256 bits) instead the cost of breaking it would be, well, the cost of breaking SHA256, which merely based on the size of the key should be 2^96 times harder than breaking SHA1.

                Using more bad algorithms gets you a linear increase in difficulty at best, using a better algorithm should get you an exponential increase in difficulty.

                1. 3

                  A combination of SHA1+MD5 is only marginally more secure than SHA1. Here’s someone explaining the math behind it: https://crypto.stackexchange.com/questions/36988/how-hard-is-it-to-generate-a-simultaneous-md5-and-sha1-collision

                  That said: Why would you want to do that? Why use 2 insecure functions when you can just use a secure one?

                  1. 1

                    Mainly for backwards-compatibility. If a system uses SHA-1 for identifiers, you could keep doing that, and have an extra sanity check for raising red flags.

                    Then again, you might as well use SHA3 for that sanity check, now that I think about it.

                  2. 1

                    I’m going to say no. When it comes to crypto, don’t try to be clever if you aren’t a crypto expert. Just do the simple thing and use the standard algorithms in the most direct and obvious way.

                    1. 1

                      I’m also not an expert but this reminds me of Dave’s False Maxim on the Information Security Stack Exchange. Not 100% sure it applies although it’s still funny either way :P