On Sat, Dec 29, 2007 at 03:45:35PM +1100, David Symonds wrote:
On Dec 29, 2007 3:27 PM, J.C. Pizarro <jcpiza@xxxxxxxxx> wrote:Dear Linus Torvalds, What do you think to do when your git has to change from SHA-1 to SHA-2 because of the weaker collision-resistance of SHA-1 in the next years? (e.g. from an damn developer trying to commit a collisioned-SHA-1 file)It's a non-issue. The closest-to-practical attack method on SHA-1 is a collision-finding attack, not a second pre-image attack, which means you can find two messages with the same hash. As far as I know, there's no significant weakness known for finding a pre-image, which would be the most practical way of weakening Git's "security" via SHA-1 substitution.
<http://en.wikipedia.org/wiki/Birthday_attack> has some good background on the "problem". I suppose when SHA-1 is broken and people can generate arbitrary files with the same hash, it would be possible to use this to make files that were annoying to try and use with Git. Git wouldn't have any problem with normal colliding files, since it hashes the files with a prefix, so the files would have to be generated specifically for git.
Regardless, the use of SHA-1 in Git isn't primarily for security, though it is a nice side-effect. The SHA-1 is there for reliability in addressing and as a good hash.
Given a method for producing a colliding pair for SHA1, it would be possible to check in a version of a file and later replace it in a repository with the other version without detection. The current pairs for MD5 contain blocks of binary data, so this would be fairly obvious if it got checked into source code. It would also only replace the blob on a compromised machine. Anyone who has already pulled the blob wouldn't download the new one. As far as a collision occurring accidentally, according to the Wiki page (the math looks right), for a 128-bit hash, 820 billion objects would have a 10^(-15) probability of a collision. SHA-1 is 160 bits, so the probability is even lower. The possible (or even likely) breaking of SHA-1 is only for intentional collisions. SHA-1 as a non-colliding hash function should be good for trillions of objects, and that's all in the same repo. It might be worth tossing around ideas for using a larger hash in a fairly long-term future, though. Dave - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
