1ab0bb112d
Summary: cdatapack depends on sha1detectcoll, so let's add the library to setup.py before we add cdatapack. Test Plan: hg purge --all && make local && cd tests/ && ./run-tests.py -S -j 48 Verified sha1dc was in the build output and the tests passed. Reviewers: quark, #mercurial Reviewed By: quark Differential Revision: https://phabricator.intern.facebook.com/D6676405 Signature: 6676405:1515444508:2da65c6c3a18267a1d3c151c8e9acf60b674ffc2 |
||
|---|---|---|
| .. | ||
| LICENSE.txt | ||
| README.md | ||
| sha1.c | ||
| sha1.h | ||
| ubc_check.c | ||
| ubc_check.h | ||
sha1collisiondetection
Library and command line tool to detect SHA-1 collisions in files
Copyright 2017 Marc Stevens marc@marc-stevens.nl
Distributed under the MIT Software License.
See accompanying file LICENSE.txt or copy at https://opensource.org/licenses/MIT.
Developers
- Marc Stevens, CWI Amsterdam (https://marc-stevens.nl)
- Dan Shumow, Microsoft Research (https://www.microsoft.com/en-us/research/people/danshu/)
About
This library and command line tool were designed as near drop-in replacements for common SHA-1 libraries and sha1sum. They will compute the SHA-1 hash of any given file and additionally will detect cryptanalytic collision attacks against SHA-1 present in each file. It is very fast and takes less than twice the amount of time as regular SHA-1.
More specifically they will detect any cryptanalytic collision attack against SHA-1 using any of the top 32 SHA-1 disturbance vectors with probability 1:
I(43,0), I(44,0), I(45,0), I(46,0), I(47,0), I(48,0), I(49,0), I(50,0), I(51,0), I(52,0),
I(46,2), I(47,2), I(48,2), I(49,2), I(50,2), I(51,2),
II(45,0), II(46,0), II(47,0), II(48,0), II(49,0), II(50,0), II(51,0), II(52,0), II(53,0), II(54,0), II(55,0), II(56,0),
II(46,2), II(49,2), II(50,2), II(51,2)
The possibility of false positives can be neglected as the probability is smaller than 2^-90.
The library supports both an indicator flag that applications can check and act on, as well as a special safe-hash mode that returns the real SHA-1 hash when no collision was detected and a different safe hash when a collision was detected. Colliding files will have the same SHA-1 hash, but will have different unpredictable safe-hashes. This essentially enables protection of applications against SHA-1 collisions with no further changes in the application, e.g., digital signature forgeries based on SHA-1 collisions automatically become invalid.
For the theoretical explanation of collision detection see the award-winning paper on Counter-Cryptanalysis:
Counter-cryptanalysis, Marc Stevens, CRYPTO 2013, Lecture Notes in Computer Science, vol. 8042, Springer, 2013, pp. 129-146, https://marc-stevens.nl/research/papers/C13-S.pdf
Compiling
Run:
make
Command-line usage
There are two programs bin/sha1dcsum and bin/sha1dcsum_partialcoll.
The first program bin/sha1dcsum will detect and warn for files that were generated with a cryptanalytic SHA-1 collision attack like the one documented at https://shattered.io/.
The second program bin/sha1dcsum_partialcoll will detect and warn for files that were generated with a cryptanalytic collision attack against reduced-round SHA-1 (of which there are a few examples so far).
Examples:
bin/sha1dcsum test/sha1_reducedsha_coll.bin test/shattered-1.pdf
bin/sha1dcsum_partialcoll test/sha1reducedsha_coll.bin test/shattered-1.pdf
Library usage
See the documentation in lib/sha1.h. Here is a simple example code snippet:
#include <sha1dc/sha1.h>
SHA1_CTX ctx;
unsigned char hash[20];
SHA1DCInit(&ctx);
/** disable safe-hash mode (safe-hash mode is enabled by default) **/
// SHA1DCSetSafeHash(&ctx, 0);
/** disable use of unavoidable attack conditions to speed up detection (enabled by default) **/
// SHA1DCSetUseUBC(&ctx, 0);
SHA1DCUpdate(&ctx, buffer, (unsigned)(size));
int iscoll = SHA1DCFinal(hash,&ctx);
if (iscoll)
printf("collision detected");
else
printf("no collision detected");