| 1 |
On Sat, Aug 15, 2015 at 7:24 AM, hasufell <hasufell@g.o> wrote: |
| 2 |
> |
| 3 |
> No one has proven that git is cryptographically insecure. Everyone |
| 4 |
> claiming that probably refers to |
| 5 |
> https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html and |
| 6 |
> the fact that we don't sign blob objects. |
| 7 |
> |
| 8 |
> While that is something git upstream has to fix, all known SHA1 |
| 9 |
> "attacks" are NOT "preimage attacks". So the whole point is utterly and |
| 10 |
> mathematically moot for us in practice. This is wasting our time. |
| 11 |
> |
| 12 |
|
| 13 |
I'd take a few issues with your wording, but not with your argument as |
| 14 |
it applies to Gentoo. |
| 15 |
|
| 16 |
Whether a collision attack or a preimage attack is necessary to make |
| 17 |
something insecure depends on how the hash is being used. In the case |
| 18 |
of Gentoo the author is the signer, so a collision attack doesn't |
| 19 |
really mean much. If the signer wanted to sign something different, |
| 20 |
they would just do it. In another workflow where the where the signer |
| 21 |
is somebody other than the author, then a collision attack might be |
| 22 |
meaningful, even in the absence of a preimage attack. That is, as the |
| 23 |
author I can use a collision attack to generate two git trees with the |
| 24 |
same hash. One is a tree you would be willing to sign off on, and the |
| 25 |
other is one that you would be unwilling to sign off on. After |
| 26 |
obtaining your signature I could keep your commit object and swap out |
| 27 |
the tree resulting in a repo that has your signature but what you |
| 28 |
signed off on is not what is in the repo. You could see how in some |
| 29 |
code-review scenarios that might be relevant (only if the submitted |
| 30 |
tree is signed unmodified - any rebasing could break this, and even a |
| 31 |
merge could break it[1]). On the other hand, in the author-is-signer |
| 32 |
workflow of Gentoo it isn't very relevant, since if I want to stick |
| 33 |
something nasty in the tree I can just do it. |
| 34 |
|
| 35 |
Overall, though, sha1's days are numbered. I don't think that is a |
| 36 |
reason to make an inconvenient change in our workflow just now. |
| 37 |
However, it really is the sort of thing the git maintainers should be |
| 38 |
thinking about and at least planning for. |
| 39 |
|
| 40 |
This also brings up the issue of unstated assumptions made by |
| 41 |
development teams. They use a tool which has some cryptographic |
| 42 |
weakness, based on the argument that the weakness is not a problem for |
| 43 |
their intended use. Then when somebody else comes along and uses the |
| 44 |
application in a manner not originally intended or conceived of by the |
| 45 |
authors, the weakness compromises the security of the application, |
| 46 |
perhaps in a way the users aren't aware of. Then when the problem is |
| 47 |
exploited and publicized everybody gets to argue about whose fault it |
| 48 |
is. |
| 49 |
|
| 50 |
Footnotes: |
| 51 |
1 - ...though if you could be reasonably sure that other commits being |
| 52 |
rebased/merged wouldn't touch the part of the tree you're messing with |
| 53 |
you could do a collision on a tree object below the root and not on |
| 54 |
the root itself. As long as no other commits before the merge mess |
| 55 |
with the part of the tree you're playing games with you could swap out |
| 56 |
just that part of the tree if you could do a collision attack and then |
| 57 |
both the merge and your own commit will inherit the changes. |
| 58 |
|
| 59 |
-- |
| 60 |
Rich |
Archives