On 3/9/17, Warren Young <[email protected]> wrote: > > My question is, does the new SHA-3 scheme protect us from that possibility, > or will a Fossil checkout of the tip of that repository replay the SHA-3 > delta on top of the tampered SHA-1 checkin and be thereby tainted? >
(1) If artifact X is stored as a delta from artifact Y, that means Y must already be in the repository. If a new artifact Y' which has the same SHA1 hash as Y comes along, it will be discarded, since an artifact with that same hash is already in the repository. (2) If you apply the Y->X delta to Y' instead of to Y, you are not going to get an object that has the same hash as X, especially if X has a sha3 hash. (I'm not sure if Fossil actually checks that right now, but it is certainly easy enough to add - all the information is readily at hand.) (3) Just to make the problem a little harder for the attacker, the delta itself has its own 32-bit checksum use to verify the integrity of the answer. (4) At some point, the sync protocol will be rigged up to not accept any now SHA1 artifacts, except when cloning legacy repositories, and then the artifacts must have timestamps prior to some cut-off date (yet to be decided). (5) There are no known attacks (other than exhaustive search which is still computationally prohibitive) against the Hardened-SHA1 algorithm that is now in use in Fossil in place of SHA1. -- D. Richard Hipp [email protected] _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
