1 |
On Sat, Aug 15, 2015 at 7:24 AM, hasufell <hasufell@g.o> wrote: |
2 |
> |
3 |
> No one has proven that git is cryptographically insecure. Everyone |
4 |
> claiming that probably refers to |
5 |
> https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html and |
6 |
> the fact that we don't sign blob objects. |
7 |
> |
8 |
> While that is something git upstream has to fix, all known SHA1 |
9 |
> "attacks" are NOT "preimage attacks". So the whole point is utterly and |
10 |
> mathematically moot for us in practice. This is wasting our time. |
11 |
> |
12 |
|
13 |
I'd take a few issues with your wording, but not with your argument as |
14 |
it applies to Gentoo. |
15 |
|
16 |
Whether a collision attack or a preimage attack is necessary to make |
17 |
something insecure depends on how the hash is being used. In the case |
18 |
of Gentoo the author is the signer, so a collision attack doesn't |
19 |
really mean much. If the signer wanted to sign something different, |
20 |
they would just do it. In another workflow where the where the signer |
21 |
is somebody other than the author, then a collision attack might be |
22 |
meaningful, even in the absence of a preimage attack. That is, as the |
23 |
author I can use a collision attack to generate two git trees with the |
24 |
same hash. One is a tree you would be willing to sign off on, and the |
25 |
other is one that you would be unwilling to sign off on. After |
26 |
obtaining your signature I could keep your commit object and swap out |
27 |
the tree resulting in a repo that has your signature but what you |
28 |
signed off on is not what is in the repo. You could see how in some |
29 |
code-review scenarios that might be relevant (only if the submitted |
30 |
tree is signed unmodified - any rebasing could break this, and even a |
31 |
merge could break it[1]). On the other hand, in the author-is-signer |
32 |
workflow of Gentoo it isn't very relevant, since if I want to stick |
33 |
something nasty in the tree I can just do it. |
34 |
|
35 |
Overall, though, sha1's days are numbered. I don't think that is a |
36 |
reason to make an inconvenient change in our workflow just now. |
37 |
However, it really is the sort of thing the git maintainers should be |
38 |
thinking about and at least planning for. |
39 |
|
40 |
This also brings up the issue of unstated assumptions made by |
41 |
development teams. They use a tool which has some cryptographic |
42 |
weakness, based on the argument that the weakness is not a problem for |
43 |
their intended use. Then when somebody else comes along and uses the |
44 |
application in a manner not originally intended or conceived of by the |
45 |
authors, the weakness compromises the security of the application, |
46 |
perhaps in a way the users aren't aware of. Then when the problem is |
47 |
exploited and publicized everybody gets to argue about whose fault it |
48 |
is. |
49 |
|
50 |
Footnotes: |
51 |
1 - ...though if you could be reasonably sure that other commits being |
52 |
rebased/merged wouldn't touch the part of the tree you're messing with |
53 |
you could do a collision on a tree object below the root and not on |
54 |
the root itself. As long as no other commits before the merge mess |
55 |
with the part of the tree you're playing games with you could swap out |
56 |
just that part of the tree if you could do a collision attack and then |
57 |
both the merge and your own commit will inherit the changes. |
58 |
|
59 |
-- |
60 |
Rich |