Thursday's watershed attack on the widely used SHA1 hashing function has claimed its first casualty: the version control system used by the WebKit browser engine, which became completely corrupted after someone uploaded two proof-of-concept PDF files that have identical message digests.
The bug resides in Apache SVN, an open source version control system that WebKit and other large software development organizations use to keep track of code submitted by individual members. Often abbreviated as SVN, Subversion uses SHA1 to track and merge duplicate files. Somehow, SVN systems can experience a severe glitch when they encounter the two PDF files published Thursday, proving that real-world collisions on SHA1 are now practical.
On Friday morning, the researchers updated their informational website to add the frequently asked question "Is SVN affected?" The answer:
"Yes - please exercise care, as SHA-1 colliding files are currently breaking SVN repositories. Subversion servers use SHA-1 for deduplication and repositories become corrupted when two colliding files are committed to the repository. This has been discovered in WebKit's Subversion repository and independently confirmed by us. Due to the corruption the Subversion server will not accept further commits."
Source: ArsTechnica
(Score: 2) by KiloByte on Monday February 27 2017, @11:29AM (3 children)
btrfs always does that. This way, you can just as well use short hashes while looking for dedup candidates (far more memory efficient), then for the actual dedupe it uses a hash function immune to both preimage and collision attacks, ie, the identity function.
Ceterum censeo systemd esse delendam.
(Score: 1, Troll) by Scruffy Beard 2 on Monday February 27 2017, @04:34PM (2 children)
No hash function is immune to collisions.
For a long time, SHA-1 was considered immune to pre-image and collision attacks.
(Score: 2) by KiloByte on Tuesday February 28 2017, @03:19PM (1 child)
Kind of *whoosh*, but let's explain.
Any bijective function is fully immune to both collisions and second preimage, not just merely resistant. On the other hand, many of them, like the identity function or rot13, are quite vulnerable to first preimage, but that's not what you use them for. What you're missing is that they're not one-way functions, where collisions must happen due to the pigeonhole principle and may at most be hard to find.
Ceterum censeo systemd esse delendam.
(Score: 1) by Scruffy Beard 2 on Tuesday February 28 2017, @04:45PM
Can you name one bijective hash function that works on arbitrary data?