undefined | Better HN

0 pointsmlyle6y ago0 comments

SHA1 is vulnerable to preimage attacks in reduced round variants. The findings keep steadily improving.

https://en.wikipedia.org/wiki/Preimage_attack

This means if a storage system just uses SHA1 to detect duplication, you can abuse the ability to create a collision to possibly do bad things to the storage system.

0 comments

5 comments · 2 top-level

knorker6y ago· 3 in thread

Yes, but for the specific concerns listed it should not be a problem. That is, if you upload to dropbox and check the sha1 when it comes back, yes you did get the same data back.

And your data can't be stolen by a hash-to-data oracle either, unless the evil attacker constructed your secret data for you.

So it depends on your threat model. Yes there are practical concerns, but not the ones listed.

mlyleOP6y ago

I disagree. Deduplicating filesystems often depend on hash equivalency meaning data equivalency. They may or may not have modes to validate all data before deduplication, but these suck for performance and are often turned off.

E.g. I make two things that hash to the same thing. One is a contract where I'm obligated to pay back a loan. Another is some meaningless document. I give them to a counterparty who puts them in their filesystem, which later scrubs and deduplicates data. Since they hash the same, the filesystem removes the contract and leaves my meaningless document (or never bothers to store the contract because it already exists, if deduping online, etc).

Note that this is a chosen prefix collision, which is much more demanding (and more useful!) than finding a collision in general. And this leaves aside that SHA1 is looking increasingly vulnerable to preimage attacks which further broaden the attack scenarios.

perl4ever6y ago

The filesystem removes a document, but you can't expect it will be the right one more than 50% of the time.

1 more reply

im3w1l6y ago

This doesn't sound crazy farfetched. I bet a lot of people have files in their dropbox that were created by someone else.

upofadown6y ago

>SHA1 is vulnerable to preimage attacks.

From your linked article:

>All currently known practical or almost-practical attacks on MD5 and SHA-1 are collision attacks. In general, a collision attack is easier to mount than a preimage attack, as it is not restricted by any set value (any two values can be used to collide).

j / k navigate · click thread line to collapse