GNU bug report logs - #25999
SHA1SUM: please switch to sha1dc to warn of attempted hash collision attacks

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: coreutils; Severity: wishlist; Reported by: Henrique de Moraes Holschuh <hmh@HIDDEN>; dated Mon, 6 Mar 2017 15:17:01 UTC; Maintainer for coreutils is bug-coreutils@HIDDEN.
Severity set to 'wishlist' from 'normal' Request was from Assaf Gordon <assafgordon@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 25999 <at> debbugs.gnu.org:


Received: (at 25999) by debbugs.gnu.org; 7 Mar 2017 04:45:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 06 23:45:20 2017
Received: from localhost ([127.0.0.1]:43477 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cl6zw-0000z7-Gz
	for submit <at> debbugs.gnu.org; Mon, 06 Mar 2017 23:45:20 -0500
Received: from midir.magicbluesmoke.com ([82.195.144.46]:49492
 helo=mail.magicbluesmoke.com)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <P@HIDDEN>) id 1cl6zu-0000yz-N9
 for 25999 <at> debbugs.gnu.org; Mon, 06 Mar 2017 23:45:19 -0500
Received: from localhost.localdomain (mobile-166-137-176-063.mycingular.net
 [166.137.176.63])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 195E598CD;
 Tue,  7 Mar 2017 04:45:16 +0000 (GMT)
Subject: Re: bug#25999: SHA1SUM: please switch to sha1dc to warn of attempted
 hash collision attacks
To: Henrique de Moraes Holschuh <hmh@HIDDEN>, 25999 <at> debbugs.gnu.org
References: <1488813374.3833386.901979264.6597C9CC@HIDDEN>
From: =?UTF-8?Q?P=c3=a1draig_Brady?= <P@HIDDEN>
Message-ID: <992429e4-cdad-93cd-0fc8-e8cef3a3f774@HIDDEN>
Date: Mon, 6 Mar 2017 20:45:11 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <1488813374.3833386.901979264.6597C9CC@HIDDEN>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 25999
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

On 06/03/17 07:16, Henrique de Moraes Holschuh wrote:
> This is a feature request, in light of the "shattered" attack against
> SHA-1[1] published by Google.
> 
> A drop-in replacement for sha1 exists, based on the concept of
> counter-cryptanalysis[2].  This drop-in replacement can detect when the
> SHA-1 hash hits the weakened internal states used by the shattered
> attack.  Optionally, it can also negate the
> collision-resistance-weakening effect of the "shattered" attack.
> 
> This "hardened sha1" drop-in replacement is called sha1dc (for collision
> detection), and an implementation can be found at:
> 
> https://github.com/cr-marcstevens/sha1collisiondetection
> 
> The license for the sha1-dc library is MIT.   Other noteworthy users of
> sha1dc are the git scm, which will use it to _detect_ objects weakened
> for easier collisions, and refuse such objects.  This new version of git
> has not been released yet at the time I am writing this bug report, but
> the relevant patches are already in git's "pu" branch.
> 
> It would be nice if coreutils' sha1sum would use sha1dc, and report
> (either as a warning, or as an error) when an attempt at generating SHA1
> collisions is detected.
> 
> Note that this feature request is not for sha1sum to switch to the
> hardened "safe version" of sha1dc that defuses the collision attempts,
> but rather that sha1dc be used to detect and warn the user about the
> specially crafted input data that makes the "shattered" attack feasible.
> 
> I have no strong opinions on whether sha1sum should abort or just warn
> when an attempted collision is detected.  I also have no strong opinions
> whether it should use "safe mode" or not, as long as it *does* warn the
> user when an attempted collision is detected... only, I feel "safe mode"
> behavior should be optional (I have no strong opinions on whether it
> should be enabled by default or not).
> 
> [1] https://shattered.it/
> [2] http://eprint.iacr.org/2017/173/20170228:105224
> 

Interesting.

I agree the "safe version" is less interesting as one
can use sha3 or blake2 with the same length as sha1,
for about the same compatibility but greater protection.

As for detection, I suppose we should by default
enable this with sha1sum --check, because:
 - sha1sum should be as safe as possible by default
 - we don't care that much about sha1 perf since it's deprecated
 - false positive probability is smaller than 2^-90

I wonder is there similar analysis possible with md5sum?

As for licensing, we could probably integrate it as
we do already for src/blake2/

thanks,
Pádraig




Information forwarded to bug-coreutils@HIDDEN:
bug#25999; Package coreutils. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Mar 2017 15:16:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 06 10:16:35 2017
Received: from localhost ([127.0.0.1]:42931 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ckuNG-0006BG-N6
	for submit <at> debbugs.gnu.org; Mon, 06 Mar 2017 10:16:35 -0500
Received: from eggs.gnu.org ([208.118.235.92]:42811)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hmh@HIDDEN>) id 1ckuNE-0006B2-KI
 for submit <at> debbugs.gnu.org; Mon, 06 Mar 2017 10:16:33 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hmh@HIDDEN>) id 1ckuN8-0008Gc-CH
 for submit <at> debbugs.gnu.org; Mon, 06 Mar 2017 10:16:27 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:55732)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <hmh@HIDDEN>) id 1ckuN8-0008GX-8Z
 for submit <at> debbugs.gnu.org; Mon, 06 Mar 2017 10:16:26 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33765)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hmh@HIDDEN>) id 1ckuN6-00007d-S3
 for bug-coreutils@HIDDEN; Mon, 06 Mar 2017 10:16:26 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hmh@HIDDEN>) id 1ckuN3-0008CC-LT
 for bug-coreutils@HIDDEN; Mon, 06 Mar 2017 10:16:24 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:38697)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <hmh@HIDDEN>) id 1ckuN3-0008BE-Ec
 for bug-coreutils@HIDDEN; Mon, 06 Mar 2017 10:16:21 -0500
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
 by mailout.nyi.internal (Postfix) with ESMTP id 7F7EF20B0D
 for <bug-coreutils@HIDDEN>; Mon,  6 Mar 2017 10:16:14 -0500 (EST)
Received: from web3 ([10.202.2.213])
 by compute6.internal (MEProxy); Mon, 06 Mar 2017 10:16:14 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:message-id:mime-version:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=smtpout; bh=sJxHgHRPy7sPtvt6WZPVEo8av
 mA=; b=evztVbm9sHMu7+SwEcvO/I7HWwquOvUF4RKypG4aDJiEH1FQhPepSRn+w
 WmbkeeDrXfa+cGY92gsh3bBv2DvSZDO6bcYGTG8dnVybHPnNjerdyrjMn6RRuj6i
 U1QCoLh36kIztzdJpfN+3oREys6dlgxA2NmPQ3feKNGwLTjUAA=
X-ME-Sender: <xms:Pn29WEJLJLiBS-EgPKvTdK96lGovgepTq1rGL8EKs6U46msCjf_dyg>
Received: by mailuser.nyi.internal (Postfix, from userid 99)
 id 5EDD99EBC1; Mon,  6 Mar 2017 10:16:14 -0500 (EST)
Message-Id: <1488813374.3833386.901979264.6597C9CC@HIDDEN>
From: Henrique de Moraes Holschuh <hmh@HIDDEN>
To: bug-coreutils@HIDDEN
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-9f47d516
Date: Mon, 06 Mar 2017 12:16:14 -0300
Subject: SHA1SUM: please switch to sha1dc to warn of attempted hash collision
 attacks
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

This is a feature request, in light of the "shattered" attack against
SHA-1[1] published by Google.

A drop-in replacement for sha1 exists, based on the concept of
counter-cryptanalysis[2].  This drop-in replacement can detect when the
SHA-1 hash hits the weakened internal states used by the shattered
attack.  Optionally, it can also negate the
collision-resistance-weakening effect of the "shattered" attack.

This "hardened sha1" drop-in replacement is called sha1dc (for collision
detection), and an implementation can be found at:

https://github.com/cr-marcstevens/sha1collisiondetection

The license for the sha1-dc library is MIT.   Other noteworthy users of
sha1dc are the git scm, which will use it to _detect_ objects weakened
for easier collisions, and refuse such objects.  This new version of git
has not been released yet at the time I am writing this bug report, but
the relevant patches are already in git's "pu" branch.

It would be nice if coreutils' sha1sum would use sha1dc, and report
(either as a warning, or as an error) when an attempt at generating SHA1
collisions is detected.

Note that this feature request is not for sha1sum to switch to the
hardened "safe version" of sha1dc that defuses the collision attempts,
but rather that sha1dc be used to detect and warn the user about the
specially crafted input data that makes the "shattered" attack feasible.

I have no strong opinions on whether sha1sum should abort or just warn
when an attempted collision is detected.  I also have no strong opinions
whether it should use "safe mode" or not, as long as it *does* warn the
user when an attempted collision is detected... only, I feel "safe mode"
behavior should be optional (I have no strong opinions on whether it
should be enabled by default or not).

[1] https://shattered.it/
[2] http://eprint.iacr.org/2017/173/20170228:105224

-- 
  Henrique de Moraes Holschuh <hmh@HIDDEN>




Acknowledgement sent to Henrique de Moraes Holschuh <hmh@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-coreutils@HIDDEN. Full text available.
Report forwarded to bug-coreutils@HIDDEN:
bug#25999; Package coreutils. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 29 Oct 2018 03:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.