Linus Torvalds On Git's Use Of SHA-1: 'The Sky Isn't Falling'

Google's researchers specifically cited Git when they announced a new SHA-1 attack vector, according to ZDNet. "The researchers highlight that Linus Torvald's code version-control system Git 'strongly relies on SHA-1' for checking the integrity of file objects and commits. It is essentially possible to create two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one,' they note." Saturday morning, Linus responded: First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git. Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation. And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories...

The reason for using a cryptographic hash in a project like git is because it pretty much guarantees that there is no accidental clashes, and it's also a really really good error detection thing. Think of it like "parity on steroids": it's not able to correct for errors, but it's really really good at detecting corrupt data... if you use git for source control like in the kernel, the stuff you really care about is source code, which is very much a transparent medium. If somebody inserts random odd generated crud in the middle of your source code, you will absolutely notice... It's not silently switching your data under from you... And finally, the "yes, git will eventually transition away from SHA1". There's a plan, it doesn't look all that nasty, and you don't even have to convert your repository. There's a lot of details to this, and it will take time, but because of the issues above, it's not like this is a critical "it has to happen now thing".
In addition, ZDNet reports, "Torvalds said on a mailing list yesterday that he's not concerned since 'Git doesn't actually just hash the data, it does prepend a type/length field to it', making it harder to attack than a PDF... Do we want to migrate to another hash? Yes. Is it game over for SHA-1 like people want to say? Probably not."

Re:Using SHA-1 in this day and age is just lazy

[ckatko]

Pretty sure I take his opinion over yours. All he did was help create the software that the majority of the entire internet runs on.

Re:Using SHA-1 in this day and age is just lazy

[lgw]

Time for Torvalds to drop the attitude and fix this

As far as I can tell, this is a non-cryptographic use of hashing. I've used MD5 in plenty of places just to get a fast (hardware-accelerated) unique ID for a chunk of data, or as a checksum. No security purpose at all.

git was written when SHA-1 attacks were published

[ffkom]

Both happened in 2005. And SHA-2 was published 4 years earlier. So yes, the sky is not falling, and git can be made secure, but it also wasn't really wise to use SHA-1 when git was implemented, first.

BTW: At the company I work for, we already replaced SHA-2 with SHA-3 for security reasons. Better safe than sorry.

Re:git was written when SHA-1 attacks were publish

[ffkom]

If you read Linus' whole statement, you will also find the part where he writes "yes, in git we also end up using the SHA1 when we use "real" cryptography for signing the resulting trees, so the hash does end up being part of a certain chain of trust. So we do take advantage of some of the actual security features of a good cryptographic hash, and so breaking SHA1 does have real downsides for us."

Regarding our use of SHA-3: We use crypographic hash-sums as keys to cached data items that are not permitted for everyone to request. Thus we need to make sure that the cache keys cannot be "guessed" (like from knowing a valid cache key for a similar data item).

Re: git was written when SHA-1 attacks were publis

[fahrbot-bot]

Your comment might have been funny if at least their was some algorithm called "SHA-7", but there isn't.

At least Mozilla isn't in charge of updating this, otherwise we'd get SHA-1.0.1, 1.0.2, 1.0.3, 1.1.0 ... bumped every six weeks.

Re:Using SHA-1 in this day and age is just lazy

[HiThere]

His arguments as to why it isn't serious are reasonable. If you want your arguments to be considered, you need to make some.

Re:Using SHA-1 in this day and age is just lazy

[Dahamma]

"Appeal to authority" is not a logical fallacy when the authority is actually an expert in the field. You'd have to be a moron not to value the opinion of a highly accomplished programmer over an AC troll on slashdot.

Re: Using SHA-1 in this day and age is just lazy

[bondsbw]

Appeal to authority makes a weak argument, but does not invalidate it. You have yet to provide even a weak argument to the contrary.

Re:Using SHA-1 in this day and age is just lazy

[ShanghaiBill]

He wrote a a small portion of a now popular kernel

He also wrote Git, which is topic being discussed.

You are a fool to take his word on little more than faith on anything resembling a security issue.

1. This is not a security issue.
2. Linus explained his reasoning very clearly, so nothing is being taken on "faith".

Re:git was written when SHA-1 attacks were publish

[mrvan]

BTW: At the company I work for, we already replaced SHA-2 with SHA-3 for security reasons. Better safe than sorry.

In my country, we kicked out the Shas and migrated to Ayatollahs, who have a unique uniqueness guarantee!

People without a clue commenting on crypto

[gweihir]

That really annoys me no end. There is some gradual improvement in a specific attack, expected by everybody that has a clue and not seen as anything dramatic by the same people. And immediately a horde of people with no understanding of crypto swoop in an declare the sky to be falling and all uses of this thing are now invalid. This is really just utterly pathetic.

Example: I have to constantly defend the use of SHA1 for password hashing. (Sure, something like pbkdf2 or Argon2 should come later if the password may be low-entropy and gets stored. That is not always the case.) The thing is that password hashing has the purpose of preventing the hash being turned into a password again. Collision attacks have no impact on that at all. For a collision attack you would need to know the password and then you could find a second one with the same hash (or rather with the two-sided, much easier, variant you can find two passwords that map to the same hash). Now, these nil-whits completely overlook that the situation when using hashes in signatures always is that you already have what gets signed, which is completely different to the password situation. Still they claim "SHA1 is broken!". No it is not. It is broken for some specific _different_ application.

Why so many non-experts think they can voice a qualified opinion about a very hard mathematical topic is beyond me.

What Linus says here is exactly right and it is a statement by an expert. All those criticizing him are basically people that can put on a band-aid telling a brain-surgeon how to do his work. They just do not get it at all.