Johan Corveleyn <[email protected]> writes: > I think what is really missing here is a clear analysis of the > *problem*. What problem are we trying to solve?
I would say the problem statement is there, starting from the very first email in the original thread [1] and the BRANCH-README [2]: - Working copy relies on an assumption that files with identical checksum values have identical content. - This assumption is not true if there is a checksum collision. In such case the working copy behaves as if the files had identical content, whereas in fact they do not. This can result in unintended and buggy behavior, possibly accompanied by security issues. - We currently use SHA1 checksum with known collisions, so there are known cases when this assumption does not hold. - When the SHA1 collision situation worsens, things like a chosen-prefix attack could allow finding more meaningful collisions such as working executables/scripts that would have bigger exploitation potential. - There's an example use-case [3] with data forgery (content change) during checkout if the repository contains files with different content and colliding checksums. - The pristines-on-demands feature regresses this further by starting to rely on checksum comparison for "svn st". I explored the feasibility of the following technical changes and was proposing that we implement them to improve the whole situation: - Make the technical groundwork so that the working copy would not be limited to just using the SHA1 as the checksum kind: https://svn.apache.org/repos/asf/subversion/branches/pristine-checksum-kind - Build up on that, and start using dynamically-salted SHA1 checksums: https://svn.apache.org/repos/asf/subversion/branches/pristine-checksum-salt ``` With the dynamic salt: - Publicly known SHA-1 collisions no longer result in collisions when checksummed by the working copy. This is because the actually checksummed content now includes the random prefix salt. - Constructing a chosen-prefix SHA-1 collision no longer results in a collision when checksummed by the working copy. This is because the constructed collision cannot account for the random prefix salt, because it's unknown in advance. ``` [1]: https://lists.apache.org/thread/cq9q43qb3774kb853qcmnml9zd68dyj3 [2]: https://svn.apache.org/repos/asf/subversion/branches/pristine-checksum-salt/BRANCH-README [3]: https://lists.apache.org/thread/8kgq6hv9zgm9j4p2ppxnhyln2t3nlmlh Regards, Evgeny Kotkov
