Re: Re: Merge with git-pasky II.

From : Linus Torvalds < : Linus Torvalds < torvalds@osdl.org





On Sun, 17 Apr 2005, Ingo Molnar wrote: > > in fact, this attack cannot even be proven to be malicious, purely via > the email from Malice: it could be incredible bad luck that caused that > good-looking patch to be mistakenly matching a dangerous object. I really hate theoretical discussions. The fact is, a lot of _crap_ engineering gets done because of the question "what if?". It results in over-engineering, often to the point where the end result is quite a lot measurably worse than the sane results. You are _literally_ arguing for the equivalent of "what if a meteorite hit my plane while it was in flight - maybe I should add three inches of high-tension armored steel around the plane, so that my passengers would be protected". That's not engineering. That's five-year-olds discussing building their imaginary forts ("I want gun-turrets and a mechanical horse one mile high, and my command center is 5 miles under-ground and totally encased in 5 meters of lead"). I absolutely _hate_ doing engineering on the principle of "this might be possible in theory", and I'm violently opposed to it. So far, I have not heard a single argument that I consider even _remotely_ likely. The thing is, even if you can force a hash collission by sending somebody a patch, it's really pretty much almost guaranteed that the patch is not just "a few strange characters", unless sha1 is really broken to the point where it's not cryptographically secure _at_all_. In other words, unless somebody finds a way to make sha1 appear as nothing more than a complicated set of parity bits, all brute-force "get the same sha1" is likely to be about generating a really strange blob based on the thing you want to replace - and by "really strange" I mean total binary crap. And likely _much_ bigger too. And by "much bigger" I mean "possibly gigabytes of data". And the thing is, _if_ somebody finds a way to make sha1 act as just a complex parity bit, and comes up with generating a clashing object that actually makes sense, then going to sha256 is likely pointless too - I think the algorithm is basically the same, just with more bits. If you've broken sha1 to the point where it's _that_ breakable, then you've likely broken sha256 too. Nobody has ever proven that you couldn't break sha256 with some really clever algorithm... So if you start playing "what if?" games, dammit, I can play mine. If we want to have any kind of confidence that the hash is reall yunbreakable, we should make it not just longer than 160 bits, we should make sure that it's two or more hashes, and that they are based on totally different principles. And we should all digitally sign every single object too, and we should use 4096-bit PGP keys and unguessable passphrases that are at least 20 words in length. And we should then build a bunker 5 miles underground, encased in lead, so that somebody cannot flip a few bits with a ray-gun, and make us believe that the sha1's match when they don't. Oh, and we need to all wear aluminum propeller beanies to make sure that they don't use that ray-gun to make us do the modification _outselves_. And the thing is, that's just crazy talk. The difference between a crazy person and an intelligent one is that the crazy one doesn't realize what makes sense in the world. The goal of good engineering is not to ask "what if?", but to ask "how do I make this work as well as possible". So please stop with the theoretical sha1 attacks. It is simply NOT TRUE that you can generate an object that looks halfway sane and still gets you the sha1 you want. Even the "breakage" doesn't actually do that. And if it ever _does_ become true, it will quite possibly be thanks to some technology that breaks other hashes too. So until proven otherwise, I worry about accidental hashes, and in 160 bits of good hashing, that just isn't an issue either. Anybody who compares a 128-bit md5-sum to a 160-bit sha1 doesn't understand the math. It didn't get "slightly less likely" to happen. It got so _unbelievably_ less likely to happen that it's not even funny. Linus - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html