Apache Subversion Fails SHA-1 Collision Test, Exploit Moves Into The Wild (arstechnica.com)

← Back to Stories (view on slashdot.org)

Apache Subversion Fails SHA-1 Collision Test, Exploit Moves Into The Wild (arstechnica.com)

Posted by EditorDavid on Sunday February 26, 2017 @08:37AM from the making-a-hash-of-it dept.

WebKit's bug-tracker now includes a comment from Friday noting "the bots all are red" on their git-svn mirror site, reporting an error message about a checksum mismatch for shattered-2.pdf. "In some cases, due to the corruption, further commits are blocked," reports the official "Shattered" web site. Slashdot reader Artem Tashkinov explains its significance: A WebKit developer who tried to upload "bad" PDF files generated from the first successful SHA-1 attack broke WebKit's SVN repository because Subversion uses SHA-1 hash to differentiate commits. The reason to upload the files was to create a test for checking cache poisoning in WebKit.

Another news story is that based on the theoretical incomplete description of the SHA-1 collision attack published by Google just two days ago, people have managed to recreate the attack in practice and now you can download a Python script which can create a new PDF file with the same SHA-1 hashsum using your input PDF. The attack is also implemented as a website which can prepare two PDF files with different JPEG images which will result in the same hash sum.

85 of 167 comments (clear)

Min score:

Reason:

Sort:

In other news by Anonymous Coward · 2017-02-26 08:50 · Score: 1

Webkit is apparently on SVN repository.
1. Re: In other news by Cesare+Ferrari · 2017-02-26 09:09 · Score: 3, Insightful
  
  Actually, svn is just about the perfect source control system if you want something quick and dirty that you can understand. git (I presume that is what you would propose as an alternative) adds no features to many small software development teams. Fortunately the svn->git migration path is well trodden.
  If you had mentioned cvs, or rcs, then i'd agree ;-)
2. Re: In other news by Puff_Of_Hot_Air · 2017-02-26 09:31 · Score: 4, Informative
  
  The problem with git, and I don't see it as a major problem, is not that it's hard to get up and running, but rather that you can quite easily get into the kind of trouble that needs expert knowledge to get out of. If you don't happen to have a git expert handy; well, you are going to have a very bad day. In this git shares the same problem as most very powerful tools, for example C. So I agree with the original poster, if you need the facilities of git, then you'd be an idiot to not use it, but if you don't, then other tools are better for simpler uses cases. Much like using something like python makes a huge amount of sense for certain applications, and zero sense for writing kernels.
3. Re: In other news by Anonymous Coward · 2017-02-26 09:43 · Score: 1
  
  Completely agree - if you are just starting to use git, and you don't have a git rock star handy (guy next cubicle over that noisily snorts Cheetos all morning), and you don't have access to Stack Overflow, just quit now.
  There's a reason this SA answer has been upvoted 13,182 times.
4. Re: In other news by Lisandro · 2017-02-26 09:52 · Score: 1
  
  I've been using git on and off for a while and, honestly, it is the most developer-friendly SCM out there. Which kind of problems do you refer to?
  My main pet peeve with git is that it really doesn't work well with big repositories, large number of users, or binary files. Other than that it is a joy to work with.
5. Re: In other news by Lisandro · 2017-02-26 09:54 · Score: 1
  
  Seriously? How hard it is to type git revert?
6. Re:In other news by arglebargle_xiv · 2017-02-26 10:05 · Score: 1
  
  And that's the problem, that SVN has crap handling of colliding values. They use their own homebrew NoSQL store, FSFS, which doesn't handle things like duplicates in any way because it's NoSQL and web scale and stuff, like MongoDB. So the message here is "don't build your app around a crap NoSQL database store", not "SHA-1 will kill you".
  Anyway, I've gotta get back to my job shovelling pig shit, and administering anal suppositories to sick horses.
7. Re: In other news by Puff_Of_Hot_Air · 2017-02-26 10:15 · Score: 1
  
  A quick google of "problems with Git" will quickly reveal the various challenges that git brings to the table, for example git push --force. More generally, any team using git needs to decide on a workflow and carefully adhere to it. How do we manage merge workflows? To rebase or not to rebase? etc. With traditional source control, this is significantly easier.
  I'm not anti-git, far from it. I introduced Git into the company I work for and love it; and it is absolutely the best source control system for distributed teams that exists. If you have distributed teams, it's an absolute must. But if you can't see that it's more complex, then you obviously haven't had the wonderful experience of having to field complaining from 30+ developers and having to fix the amazingly inventive ways in which they have managed to screw things up.
8. Re: In other news by brantondaveperson · 2017-02-26 10:23 · Score: 4, Informative
  
  I love arguing about git.
  SVN has several huge advantages over git. It's far simpler. It doesn't have a thing called 'rebase', which rewrites your commits and occasionally messes them up. Its revision numbers are actually in order, which means you always know which revision came first, given two of them, something that's impossible with git's hashes (YES - I know why the hashes are used... but the reality of 99% of software development is that the repository is centralised, so git's solving an almost non-existent problem here). SVN supports real cherry-picking, and actually records in the repo that you took code from somewhere, as opposed to git's cut-n-paste approach.
  SVN has branches, git has pointers into a tree. Thus in git, it is impossible after the fact to determine to which branch a change was committed, just in which branches it now currently resides. Branches don't really exist in git at all, they aren't versioned (who created a branch, and when?), and if you accidentally delete them you tend to lose the commits against them. Tags in git are even worse. Added to which is the fact that both are implemented in the filesystem as regular files, which means you're at the mercy of your filesystem's ideas regarding case and permitted characters, and good luck if someone tries to check it out into a filesystem with different ideas. Nice design decision there Linus, guess you were having an off day? And the line-endings stuff?... Oh. My. God.
9. Re: In other news by brantondaveperson · 2017-02-26 10:26 · Score: 1
  
  Git breaks. And when it does, good luck. Sometimes it breaks in the middle of a pull, and leaves the opposite of the repo's changes staged for you to accidentally commit. It can crap out when you're stashing, with the same effect. The bloody thing is a usability nightmare. And those hashes? Seriously... why couldn't we have just had a revision number? We're all committing to the same server.
10. Re: In other news by Lisandro · 2017-02-26 10:26 · Score: 1
  
  But i don't quite get it yet. git push --force is not supposed to be a straightforward, or even common operation, as it can destroy history. And selecting/enforcing a ranching schemes is a problem you'll run into with every other SCM in existence.
  I'll admit that git gives you enough tools to shoot yourself in both foots if you're willing to, but it also provides very straightforward, easy to use commands for everyday operations. Anyone proficient in SVN can pick up git in 20'.
11. Re: In other news by Anonymous Coward · 2017-02-26 10:49 · Score: 1
  
  Tags in git are even worse. Added to which is the fact that both are implemented in the filesystem as regular files, which means you're at the mercy of your filesystem's ideas regarding case and permitted characters, and good luck if someone tries to check it out into a filesystem with different ideas. Nice design decision there Linus, guess you were having an off day?
  You don't get that complaint.
  It is well known that Linus created git to manage the linux kernel - a work which is done entirely on linux filesystems where the rules always are the same: case sensitive, and any character except '/' and '\0' works in file names.
  If you use git for something else - well the fact that you are even able to is just a side effect. It is a unix scm; if you use git in another environment then surely everybody uses names that fit the filesystem used there? If you use it in a mixed environment, you get to set the rules for names. If your workers break the rules, they break the repository, their problem. If you don't like that, create a wrapper that do whatever syntax checking you find useful. It is open source, you can fix stuff yourself, (or complain and get your "money back".) Or hire someone to fix it for you - it'll still cost less than any commercial alternative.
12. Re: In other news by multi+io · 2017-02-26 11:56 · Score: 2
  
  SVN has several huge advantages over git. It's far simpler.
  Explain in one or two sentences what a "tree conflict" is and how to resolve it.
13. Re: In other news by Anonymous Coward · 2017-02-26 12:09 · Score: 2, Interesting
  
  I take it you've never seen a team that for some reason merged current files on a pull to effectively revert commits pushed to the remote with their few intended changes, over and over and over, across several people, for days, before noticing that there was a problem. You will bang your head on a desk shouting "why didn't they notice there was a problem..."
  I can't believe though that question was upvoted 13,182 times. According to this SA "most upvoted" query, it's the currently the second most upvoted question they have. There are a *lot* of questions on SA. Sorry, but there is something wrong when something that should be so obvious is a problem that is so commonly faced by so many people when trying to use a "common" and "most fit for the purpose" tool.
  Unbelievably, the third most upvoted question is also related to git. Five of the results in that query are related to git. That's 25% of the top 20 upvoted questions on SA. No questions in the top 20 are related to subversion. I believe that is valid circumstantial evidence that git is difficult to use and understand, especially the concepts related to it. That doesn't mean it's bad, but if you're working with a team that doesn't have much SCM experience (thankfully that's becoming less of an issue quickly), and you don't have time to commit to everyone on the team being able to pick up the nuances of git for a project, SVN is a great way to go as it's extremely simple, mostly due to significantly less feature coverage. Though, $deity help you if you aren't sitting next door to the server.
14. Re: In other news by Anonymous Coward · 2017-02-26 12:25 · Score: 1
  
  Clone a repo, change a file, stage it for commit, and then commit it. How fucking stupid are these morons that they can't do that?
  If that is all you are doing with git, then you might as well stick with svn.
15. Re: In other news by Anonymous Coward · 2017-02-26 12:31 · Score: 1
  
  Seriously... why couldn't we have just had a revision number? We're all committing to the same server.
  No, we're not. That is kind of the point of git.
16. Re: In other news by Anonymous Coward · 2017-02-26 12:46 · Score: 1
  
  git init
  git add
  git commit
  git push
  More like:
  $ git init $ git add $ git commit $ git push error: no remote configured $ git remote add origin ... $ git push error: failed to push some refs to... To prevent you from losing history, non-fast-forward updates were rejected $ git pull You asked me to pull without telling me which branch you want to merge with, and 'branch.master.merge' in your configuration file does not tell me, either. $ git pull master already up to date $ git push master error: failed to push some refs to... To prevent you from losing history, non-fast-forward updates were rejected $ git pull master already up to date $ git push error: failed to push some refs to... To prevent you from losing history, non-fast-forward updates were rejected $ #GOD DAMNIT, WHAT THE FUCK $ git pull origin master already up to date $ git push error: failed to push some refs to... To prevent you from losing history, non-fast-forward updates were rejected $ git pull --rebase You asked me to pull without telling me which branch you want to merge with, and 'branch.master.merge' in your configuration file does not tell me, either. $ #YOU PIECE OF SHIT $ git pull --rebase origin master $ git push origin master 3a8ce4...a91f4e master -> master
  git is a god damn mess, the svn workflow has fewer steps and is more logical. The only benefit git offers over svn is meaningful diffing of binary files, and I'm going to hazard a guess that most developers will never use that capability.
17. Re: In other news by jopsen · 2017-02-26 12:55 · Score: 1
  
  SVN has several huge advantages over git. It's far simpler.
  Explain in one or two sentences what a "tree conflict" is and how to resolve it.
  Create new svn checkout and copy/paste over your changes.
  
  That was "easy", hehe, just kidding I would use git over svn any day :)
18. Re: In other news by brantondaveperson · 2017-02-26 13:33 · Score: 1
  
  As I'm sure you must know perfectly well, it's a conflict caused by a change to a file conflicting at the tree level, so that one person modified the file, and another either deleted or moved it. Git gives a conflict in the first case - naturally - and may give a conflict in the second if its magic content-tracking algorithm fails (which it does, especially in non-trivial cases). You resolve it in the usual way, you inspect both sides, and figure out what to do.
  I know I'm on a losing wicket hating git like I do, but it's just so much less usable. I'd give alot to go back to revision numbers, and really knowing what goes into branches. Git does checkout (sorry... clone) alot faster though, so there's that. Can't help but think that could be fixed.
19. Re: In other news by brantondaveperson · 2017-02-26 14:11 · Score: 1
  
  as it can destroy history
  Which should, really, be impossible for a client to a source control server.
20. Re: In other news by complete+loony · 2017-02-26 14:15 · Score: 3, Funny
  
  You want a revision number? Simple;
  $ git rev-list HEAD | wc -l
  Assuming everyone is on the same branch of course....
  (Obligatory XKCD)
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
21. Re: In other news by Lisandro · 2017-02-26 14:26 · Score: 1
  
  It doesn't - unless you allow it, of course. You can destroy history on you local repository all you want but the upstream one will reject it unless specifically permitted.
22. Re: In other news by Antique+Geekmeister · 2017-02-26 14:27 · Score: 1
  
  I've worked professionally with most source control systems for decades. I'm afraid to say that the only remaining features which Subversion does better than git are the ability to check out only one directory of an upstream repository, rather than needing to check out the entire repository, and the inability to delete content from the upstream repository.
  The ability to delete content is from experience a vital component, because developers can and will accidentally pollute the central repository with undesired content. This content ranges from bulky binary files, core dumps, and security sensitive content which they should not have submitted.
  And Subversion's centralized control comes at a real price. It makes forking and doing an independent set of work, with local commits, effectively impossible.
23. Re: In other news by Xylantiel · 2017-02-26 14:51 · Score: 1
  
  My opinion is that git and svn have largely different purposes. The centralized/distributed one is the most obvious. But also git is a revision history manager, whereas svn is mostly a revision history. And I am convinced that simplicity is in the eye of the beholder.
24. Re: In other news by nasch · 2017-02-26 15:30 · Score: 1
  
  Mercurial seems so much nicer than what I read about git. I'm glad my company decided to go that way.
25. Re: In other news by brantondaveperson · 2017-02-26 15:43 · Score: 1
  
  81747
  Thanks complete_loony, I'll get that integrated into our workflow.
26. Re: In other news by phantomfive · 2017-02-26 16:50 · Score: 1
  
  Another way of looking at it: if you have a team with a single, centralized repository, why waste everyone's disk space by distributing to everyone?
  
  I like Git, and prefer its pleasant UI, but I can see there are definitely reasons people would use SVN. (I can even think of reasons a team would use Visual Source Safe, although that's more of a stretch).
  
  --
  "First they came for the slanderers and i said nothing."
27. Re: In other news by Anonymous Coward · 2017-02-26 19:44 · Score: 2, Informative
  
  > I'd give alot to go back to revision numbers...
  Why? All that matters is the logical ordering of commits, not the chronological ordering. I DGAF about when someone wrote a bit of code. All that I want is for each commit to more or less work, and for the history to be easily bisectable to aid in bug hunting.
  > Git gives a conflict in the first case - naturally - and may give a conflict in the second if its magic content-tracking algorithm fails...
  As an SVN -> Git convert, I've had git just Do The Right Thing(TM) when committing changes to a moved file more times than I can count. I lost _weeks_ of my life to doing that shit manually with SVN. I get that content tracking doesn't work 100% of the time, but it works infinity% of the time more often than it does in SVN.
  > Branches don't really exist in git at all...
  what?
  > they aren't versioned (who created a branch, and when?),
  wot?!
  If you look at this https://github.com/inaka/shotgun/compare/dave.151.update.deps.to.2.0.0.pre It's obvious that euenlopez@gmail.com created that branch on June 02, 2016. This one-liner makes it doubly clear that this isn't github trickery:
  git log `git log master..dave.151.update.deps.to.2.0.0.pre --oneline | tail -n 1 | awk '{ print $1 }'` | head -n 3
  (The git log invocation inside the backticks gives you the commits that dave.151... has that master doesn't, putting the "oldest" at the bottom. The tail/awk pipe scrapes out the commit ID of the "oldest' commit. That commit ID is fed to the outer git log, and the first three lines of that log are scraped off by head.)
  > ...and if you accidentally delete them you tend to lose the commits against them.
  a) If you delete a branch, you don't want the commits in it.
  b) But if you _did_ want those commits, git reflog saves you from your mistakes
  c) man git-reflog , for $DEITY's sake
  Don't get lost in the terminology of the man page. Just make a git repo, perform some changes to it (some small, some large) and play with git reflog.
  Every change you make to a local repo is stored locally, for 90 days -by default-. git reflog lets you sort through that and restore the pointers that you carelessly blew away.
28. Re: In other news by Varcain · 2017-02-27 01:36 · Score: 1
  
  SVN has several huge advantages over git.
  Ok, let's see these advantages.
  
  It's far simpler.
  I get it, you don't like all this changing history, rebasing, amending, reflog stuff. But for most basic git operation you need to know as many commands as for SVN. And with git you get the benefit of all the magic you can do on top of that. It's almost like saying that you prefer DOS to anything else because it's simpler - less commands, no pesky multitasking and you can do with it everything YOU need to.
  
  It doesn't have a thing called 'rebase', which rewrites your commits and occasionally messes them up.
  You conveniently ignore the fact that rebase is used almost exclusively in local branches and never on git upstream/production mirrors. The main assumption made by git is that your local history doesn't matter (why should it?). The only thing that matters is the history everyone else is using/depending on. To keep this history clean you use this evil rebase thing to apply your patches to production/upstream branch without polluting the git log with unnecessary noise (I will mention later why this matters for upstream repository even though rebase is not used there). This way git user checks that patches are applied cleanly and if not then fix conflicts. Basically rewriting commits is very useful for your local work and when git "messes them up" it's actually you messing them up because you made a mistake during rebase. I use rebase a lot to squash commits from my local work, to edit commit messages or make any changes to the patch set if something was found by testers. With SVN you don't have this luxury at all. I don't see how this is any advantage for SVN.
  
  Its revision numbers are actually in order, which means you always know which revision came first, given two of them, something that's impossible with git's hashes
  I use git in my work, I also had to use SVN in few projects. I *never* encountered any actual situation where git hashes instead of revision numbers were a problem. Any git user knows how to use the git hash properly (i.e. extract meaningful data from it). There is also command in one of replies to you here which can convert git hashes to revision numbers, but I never encountered situation where this was actually needed by anyone, anywhere. I think the sheer inconvenience and all the drawbacks of SVN are not worth the pretty little nice looking revision numbers in the revision log.
  
  but the reality of 99% of software development is that the repository is centralised, so git's solving an almost non-existent problem here)
  It's actually solving (by accident) a very existing problem where you have to contact SVN server every time you want to see the commit log, create patch from commit or see what the commit actually did to files. Ever worked in a project where SVN was on some slow-ass customer server? I did, and it would be so much less painful with git.
  
  SVN supports real cherry-picking, and actually records in the repo that you took code from somewhere, as opposed to git's cut-n-paste approach.
  And how is that a problem? Why is relying on some magic revision control tool metadata to store such information any better? If you use -x flag for your cherry-pick you basically have all the information you need to find the original commit. Git commit --amend and you can add any additional information you like so it's even more clear. Hell, you can do that later to any commit in your huge patch set using git rebase -i.
  
  SVN has branches, git has pointers into a tree. Thus in git, it is impossible after the fact to determine to which branch a change was committed, just in which branches it now currently resides.
  You silently ignore the fact that with SVN you have to do this whole tree copy on the svn server to create a branch, which again is a huge PITA if
29. Re: In other news by brantondaveperson · 2017-02-27 07:47 · Score: 1
  
  See? I told you arguing about git was fun.
  Fact: SVN stores more information about what's going on with your source code than git, and it never loses anything, even if you ask it really nicely. And it never magically changes files just because it decided that your line endings need to be just-so.
  
  You silently ignore the fact that with SVN you have to do this whole tree copy on the svn server to create a branch,
  I silently ignore that, because it's not true. SVN marks the point at which the copy was made, who made it, and when. It doesn't actually copy anything, because that would be silly. You can do the copy on the server, and switch your checkout to your new branch, just like you can with git. Except that it's all centralised (like 99% of real software development - the Linux kernel is actually an edge case), so your branch is safely on the server right away.
  Anyway, I don't expect to change anyone's mind - I just find it a bit of a shame that everyone has jumped on this tool, despite it's extreme shortcomings and rampant complexity. I mean, preferring git's SHA-1 hashes to revision numbers is just kinda bonkers. They're not ordered. You need access to the repo to know if a particular commit is in a particular build, because the hashes mean nothing by themselves. Aargh. Etc.
30. Re: In other news by brantondaveperson · 2017-02-27 07:49 · Score: 1
  
  when git "messes them up" it's actually you messing them up because you made a mistake during rebase
  No it's not. It' git crashing, and borking my local copy, thanks very much. And yes I have the latest version.
31. Re: In other news by x_t0ken_407 · 2017-02-27 08:36 · Score: 1
  
  Apprently (I haven't read the source code), the authors agree with you:
  
  The name "git" was given by Linus Torvalds when he wrote the very
  first version. He described the tool as "the stupid content tracker"
  and the name as (depending on your way):
  - random three-letter combination that is pronounceable, and not
  actually used by any common UNIX command. The fact that it is a
  mispronunciation of "get" may or may not be relevant.
  - stupid. contemptible and despicable. simple. Take your pick from the
  dictionary of slang.
  - "global information tracker": you're in a good mood, and it actually
  works for you. Angels sing, and a light suddenly fills the room.
  - "g*dd*mn idiotic truckload of sh*t": when it breaks
32. Re: In other news by 31eq · 2017-02-27 09:02 · Score: 1
  
  If you need rebase in Subversion, there is a Python script that can do it https://bitbucket.org/x31eq/om...
33. Re: In other news by Anonymous Coward · 2017-02-27 09:12 · Score: 1
  
  I've been using Git for over 5 years on a dozen different platforms and never once had Git crash. Buy a new computer.
34. Re: In other news by david_thornley · 2017-02-27 10:54 · Score: 1
  
  Linux Torvalds designed both Linux and Git according to what HE thinks makes sense and how HE thinks things should work, with his basic philosophy of "this is how I think it should be done and if you disagree, fuck off and use something else".
  
  And this would differ from any other open source/proprietary/free/closed source software in what way?
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
35. Re: In other news by complete+loony · 2017-02-27 13:11 · Score: 1
  
  In SVN a commit is final. This encourages developers to leave unfinished work in their work folder without creating a commit until they are "done". So you need a separate backup process for your work folder for any changes that take time to complete. Plus you often end up with a monolithic commit with a bunch of changes. Then how do you review those changes before pushing upstream?
  git rebase gives you a solution to this problem. Whenever I think I've made progress towards solving a problem I can create a commit. If I discover that one of those changes isn't right, I create a new commit with the fixup. Then when I'm "done" with the change, I can rebase in order to produce a series of patches that someone else can more easily review. At any time, if I encounter a bug that I want to push upstream. I can rebase my entire branch first to push the bug fix to the bottom, then push that commit without needing to create a new local branch.
  At any time I can use git to push my incomplete work to a private server or my own work branch on a team server. Both for backup purposes and for collaboration.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
36. Re: In other news by Lisandro · 2017-03-02 06:33 · Score: 1
  
  git revert is the wrong answer. git revert makes ANOTHER commit to undo the changes of the first commit. Why the hell do you want to preserve mistakes in the history? The accepted answer is more correct than git revert. This is git.
  The reversal SHOULD be a new commit. Undoing commits on a distributed SCMs means you're effectively deleting history.
Re:FINALLY! by Anonymous Coward · 2017-02-26 09:00 · Score: 1

If you don't like it, don't use it. Personally, I love it.
Here's what it means by JoshuaZ · 2017-02-26 09:20 · Score: 4, Informative

Here's what it means: One major aspect of modern cryptography are "hash functions"- a hash function is a function which essentially has the property that in general two inputs with very small differences will give radically different outputs. Also, ideally a hash function will also make it hard to detect "collisions" which are two inputs which have the same output. In general, hash schemes are used for a variety of different purposes, including determining if a file is what it claims to be (by checking that the file has the correct hash value).
Every few years, an existing hash system gets broken and needs to be replaced. MD5 is an example of this; it was very popular and then got replaced.
One of the major currently used hash schemes is SHA-1. However, a few days ago, a group from Google described an attack that allowed them easily find collisions in SHA-1 (easy here is comparative- the amount of computational resources needed was still pretty high). The group released evidence that they could do so but didn't describe how they did so in detail. They gave an example of two files with a SHA-1 collisions and they also described some of the theory behind their attack. What TFS is talking about is how based on this, others have since managed to duplicate the attack and some make some even more efficient variants of it; so effectively this attack is now in the wild.
1. Re:Here's what it means by Lisandro · 2017-02-26 09:38 · Score: 5, Informative
  
  FWIW, you're correct, but "hash function" englobes much more than that. Technically, a CRC is, by definition, a hash function. So is bit parity.
  A cryptographic hash function has the properties you mention, plus the fact that it must not be easily reversible and uniformly distribute results over its entire output space.
2. Re:Here's what it means by Aighearach · 2017-02-26 10:34 · Score: 1
  
  Or, it means more generally that updates are bad, and true security will only come from removal of code thrash. We have to figure out what features we actually want, and implement them, and then stop changing those features.
  As long as everything is thrashing, everything is vulnerable. Protections will be temporary and new bugs will be introduced even into the protections because those too are always experiencing code thrash.
3. Re:Here's what it means by complete+loony · 2017-02-26 11:34 · Score: 5, Informative
  
  Google produced two pdf's that differ in some binary data near the beginning of the file. The SHA-1 hash routine processes data one block at a time, updating its internal state. There are two consecutive blocks that differ between the pdf's. The first pair of blocks produce an internal state where half of the bytes are the same. The second pair of blocks then produce an identical state. The remainder of the pdf files is the same.
  So you can use these two pdf prefixes and append whatever data you want to them to produce your own pair of files. Pdf includes a programming language for rendering content. Within this language you can inspect the earlier bytes of the file to detect which version of the file you are rendering, and make some visual changes. So while there are only a few bytes that are different, you can make two pdfs that display different content.
  Nobody has invested the time to produce a new hash collision, but someone has already automated the production of duplicate pdf's based on this work.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
4. Re:Here's what it means by 140Mandak262Jamuna · 2017-02-26 11:56 · Score: 1
  
  So as a first measure, if source control software add a "salt" at the top of pdf files being checked in, and strip it out when being checked out, this attack would not work. In fact a simple countermeasure could be to salt all files with a prefix block and a suffix block for the purpose of calculating SHA-1.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
5. Re:Here's what it means by brantondaveperson · 2017-02-26 13:42 · Score: 1
  
  There was a hash-collision proof-of-concept thing some years back that purported to have generated two HTML files that hashed to the same value, but displayed different content. In reality, the files were identical, they just contained javascript that displayed different things depending on the URL that the file was served from. A simple trick, but one that could easily defeat hashing strategies applied to things that contain actual executable code, rather than just - say - an image.
6. Re:Here's what it means by Anonymous Coward · 2017-02-26 13:52 · Score: 1
  
  It means the exact opposite of this.
  An old(er) cryptographic hash is now unsafe to use as assumptions that the developers of subversion (and other software) made about it are now invalid, so you MUST update to newer version to avoid unforseen issues due to the ability to generate multiple inputs that hash to the same value.
7. Re:Here's what it means by complete+loony · 2017-02-26 14:00 · Score: 5, Interesting
  
  This is why git is not vulnerable in this specific instance. In git all objects are prepended with their type, in this case "blob". Of course if you had $100k (-ish) to burn, you could repeat this attack on a file that does start with "blob" to break git.
  However you don't need to do this. This attack depends on reaching an intermediate state with specific properties in order to massively reduce the search space. Any attempt to hash a file that reaches one of these states can be detected and rejected. If you swap to using https://github.com/cr-marcstevens/sha1collisiondetection for all SHA-1 calculations, every instance of this attack can be detected and rejected.
  Also I mis-spoke slightly and spotted my error after checking the paper again. The first pair of blocks have half of the same bytes, but produce an internal state with only 6 bytes of differences. The second pair of blocks, again only differ in half of their bytes, and exactly cancel out those 6 bytes of differences. See Table One on page 3 for the actual byte values.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
8. Re:Here's what it means by nasch · 2017-02-26 15:24 · Score: 1
  
  Wouldn't it be better to switch to SHA-512 or something?
9. Re:Here's what it means by JoshuaZ · 2017-02-27 01:22 · Score: 1
  
  Yeah, that's a valid point. I also was a bit sloppy at other points; I wrote about detecting collisions when I should have said generating collisions. Thanks for expanding in a helpful fashion.
10. Re:Here's what it means by Lisandro · 2017-02-27 01:26 · Score: 1
  
  Np. Sorry if i came across as pedantic - i though the distinction was important because from reading other threads people don't really seem to understand what SHA1 is supposed to and not to do.
Re:FINALLY! by espenskaufel · 2017-02-26 09:32 · Score: 3, Funny

I do not understand why many developers feel so strongly about versions control systems. I wonder if carpenters feel the same way about hammers or if developers are just way to opinionated...
Re:It's fine, Linus said so by Lisandro · 2017-02-26 09:34 · Score: 1

Not really: http://marc.info/?l=git&m=1156... .
Git hashes objects (commit, trees, blobs, tags) instead of individual tags. If you managed to somehow create, say, a commit with the same SHA1 as another existing in a repository pushes to it would be simply ignored.
Re:It's fine, Linus said so by Lisandro · 2017-02-26 09:35 · Score: 1

...instead of individual files...
Re:FINALLY! by Lisandro · 2017-02-26 09:42 · Score: 2

Pretty sure they do.
Re:It's fine, Linus said so by Anonymous Coward · 2017-02-26 09:46 · Score: 1

Git and SVN work very, very differently under the hood. The fact that they rely on the same hash algorithm is irrelevant as they use it in very different ways.
"In the wild" - slight exaggeration by geekpowa · 2017-02-26 09:49 · Score: 2

Someone checked in PDFs that demonstrate the first engineered SHA-1 collision and this broke SVN. PDFs in question took 6500+ cpu years + 110 GPU years to generate. "In the wild" is a bit panicky & excessive.
What does this actually means in terms of integrity of repos and other things that rely on SHA-1? Does it merely break repos or does it facilitate injection attack vectors - how important is secure hashing in the guts of repos? What precisely is being secured? SHA-1 has been deprecated for SSL certs already so you shouldn't be using certs with SHA1 sigs anymore. Myself, keep an eye on how this develops and start thinking about using SHA-2 but won't be replaing git or existing usage of SHA1 for password hashing anytime soon.
1. Re:"In the wild" - slight exaggeration by gravewax · 2017-02-26 09:58 · Score: 1
  
  In today's world of large botnets and distributed computing 6500+ cpu years + 110 GPU years is not a particularly daunting number.
2. Re:"In the wild" - slight exaggeration by geekpowa · 2017-02-26 10:11 · Score: 1
  
  Umm, that is an uncited claim in the summary. Nothing of the sort is stated in any of the links. The summary links to a paper that provides more details of the attack. Very heavy and technical though a few inital takeaways from it is that implementations only take a few days to run on gear they have so does seem safe to assume that SHA-1 collisions are pretty much pwned.
3. Re:"In the wild" - slight exaggeration by serviscope_minor · 2017-02-26 10:15 · Score: 2
  
  "In the wild" is a bit panicky & excessive.
  No, it's really not. This demonstrates that SHA-1 is not only weak, but broken. One golden rule about security is that it never improves over time. It means that collisions are now possible, and are within reach of moderate sized organisations. Google can clearly manage, governments certainly can and any criminal organisation with a large enough botnet can manage too. This isn't just finding random data either: it's a practical attack whereby two valid PDFs both hash to the same value.
  The security will get worse over time, just like it did for MD-5. With MD-5 it took less than 3 years for someone to go from creating two valid documents with the same hash (poth PDF and PS support arbitrary data embedded for various purposes which makes them relatively easy targets) to a completely broken cryptographic certificate which broke the chain of trust entirely. Not only did it happen, but it took a scant 11 hours on a 30 node cluster, meaning practical, attacks were in range of a single, not well funded individual, only 3 years after the first collision was found. With SHA-0, it took about a year and a half to go from the first collision to fast collisions.
  It's hard enough migrating things and old systems tend to hang around for years or even decades, so you should be planning your migration right now.
  That is not to say that SHA-1 is unsuitable for content identification with non malicious inputs, it's fine for that, but so is MD-5.
  
  --
  SJW n. One who posts facts.
4. Re:"In the wild" - slight exaggeration by Lisandro · 2017-02-26 10:22 · Score: 1
  
  This. It is safe to say SHA-1 is effectively broken at this point and existing users should start migrating to better alternatives.
  But let's not panic either. The world is not crumbling down to pieces anytime soon.
5. Re:"In the wild" - slight exaggeration by geekpowa · 2017-02-26 10:40 · Score: 1
  
  "not only weak, but broken" seems premature. The attack here involves manipulating two obtuse file formats to yield altered files with a shared hash, different to original unaltered hashes. Definitely weakened and yeah you are probably right this is the final toll for SHA-1 and from here things are likely to get worse quickly. I'll be mindful of this when I think about the various places where I use SHA-1 and start thinking about switching in other things. But I am failing to see how this right now translates into a practical vector for the various places where I encounter SHA-1. A more serious vector would be the capacity to create any desired hash with something significantly more efficient than a brute force compute. i.e. can anyone easily yield output the same as this without knowing the input?"
  echo -n 'mysecretpw+somesalt'|sha1sum 3cbb35f831b4e9241dd986f66c16e465e2db2a3a -
6. Re:"In the wild" - slight exaggeration by Aighearach · 2017-02-26 10:44 · Score: 1
  
  Right, it is still just like Linus said about the git sha-1, not really a big deal because it isn't even the security layer.
  If developers with write access to your repo are malicious, you have much worse problems. This is not a serious threat, it is just an edge case that the future will prevent.
  The real lesson IMO is, if you do roll your own security, use a library for the password hashing. And if the algorithm ends up having been the wrong one, you'll just update the library. If it is on the network, use ssh or similar. Trust is bad, but that doesn't mean trusting yourself. It means to minimize the need for trust whenever possible. If you absolutely have to trust something, trust the normal generic Best Practice. Being able to look that up in the manual with all the noisy info glut might be non-trivial, though.
7. Re:"In the wild" - slight exaggeration by swillden · 2017-02-26 10:49 · Score: 2
  
  Umm, that is an uncited claim in the summary. Nothing of the sort is stated in any of the links. The summary links to a paper that provides more details of the attack. Very heavy and technical though a few inital takeaways from it is that implementations only take a few days to run on gear they have so does seem safe to assume that SHA-1 collisions are pretty much pwned.
  The Python script in question doesn't find new SHA-1 collisions. It takes two input PDFs and produces two output PDFs that hash to the same value. It uses some quirks of how PDFs work, plus that original SHAttered collision generated by the Google researchers. Finding another collision is a lot of work. Using a known collision to generate PDFs with the same hash value is not.
  https://github.com/nneonneo/sha1collider
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:"In the wild" - slight exaggeration by guruevi · 2017-02-26 10:49 · Score: 2
  
  If someone checked in, that means they have permissions to do so. It's not like Git just blindly accepts commits with the same hash but different contents. We know it's possible, it's even possible with SHA256 to create a collision, as long as you're making a hash, you can create a collision as you're mapping an infinite set of bits onto a finite set of bits, there will always be a second set of bits that creates a collision as the number of sets approaches infinity regardless of the hash function you use.
  The fact that it's "easier" for a certain definition of "easy" doesn't mean the thing is broken, it just means people should be more careful when accepting particular hashes (eg. if you're using a cloned repo of whatever software you want to use) but even then, a bit-by-bit comparison can easily weed them out.
  As far as mainstream repo's a) you would notice someone suddenly inserting a very oddly shaped document into your repo's b) that person would require permission to do so and c) you should never automate a repo to pull in and compile something into production. Not sure if that's what happened here, the summary is very unclear as to what actually happened besides someone intentionally pushing a broken thing and it broke other things.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
9. Re:"In the wild" - slight exaggeration by geekpowa · 2017-02-26 10:55 · Score: 1
  
  Thanks for the link!
10. Re:"In the wild" - slight exaggeration by guruevi · 2017-02-26 11:01 · Score: 2
  
  Say it with me: Hashing is not Encryption. Hashing is not Encryption. Hashing is not Encryption.
  Very high level:
  Hashing is the irreversible mapping of a set of bits onto a (usually smaller) set of bits in order to obfuscate the original set of bits (one-way)
  Encryption is the mapping of a set of bits onto another equally sized set of bits where the mapping is reversible through some process (two-way)
  Hashing can be done with salts so that using rainbow tables is harder or impossible, but there will always be another set of bits that maps into the same set of bits. It's good enough for hiding a password or for reducing the complexity of finding matches. If you were writing a file system you could use it to do things like de-duplication but when you have a collision, you should ideally still do a bit-by-bit check when a collision occurs.
  Calculating a collision with actual useful content - if I want to insert a "return 0" on a particular line somewhere in the Linux kernel) is still as hard if not impossible to do as before without also inserting a load of weird, binary comments. We just know that these collisions can now be calculated faster, but it's not like adding an arbitrary string will break the calculation and produce a predefined hash.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
11. Re:"In the wild" - slight exaggeration by 0ptix · 2017-02-26 11:40 · Score: 2
  
  To be fair, any pair of distinct inputs to SHA1 that hash to the same value are a new collision. In general, being given one collision for a hash function doesnt make it automatically easy to find another. Its only because SHA1 is an iterated hash function (merkle-damgard) that this becomes true. (admittedly, almost all practical cryptographic hash functions are iterated constructions.)
  If SHA1(x0) = SHA1(x1) then for any z SHA1(x0Â¦Â¦z) = SHA1(x1Â¦Â¦z). I'm guessing the collision generated by the Google-CWI team is on a pair x0 and x1 where xb is the beginning of a pdf document that basically encodes "of the next two sections in this pdf file display section b". Given that its easy to extend them to any colliding pdf documents one wants.
12. Re:"In the wild" - slight exaggeration by serviscope_minor · 2017-02-26 11:54 · Score: 1
  
  "not only weak, but broken" seems premature. The attack here involves manipulating two obtuse file formats to yield altered files with a shared hash, different to original unaltered hashes.
  It took less than 3 years for MD5 to go from "first collisison" to "can fake certificate trust chains".
  . But I am failing to see how this right now translates into a practical vector for the various places where I encounter SHA-1.
  But don't forget that the open literature discovered an as-yet-unknown attack against MD5 in an internet worm, one almost certainly written by a government organisation. In other words, the state of the art may well be a couple of years ahead of what's public.
  
  --
  SJW n. One who posts facts.
13. Re:"In the wild" - slight exaggeration by nasch · 2017-02-26 16:02 · Score: 1
  
  Was somebody confusing hashing with encryption?
14. Re:"In the wild" - slight exaggeration by tlhIngan · 2017-02-26 18:09 · Score: 1
  
  If developers with write access to your repo are malicious, you have much worse problems. This is not a serious threat, it is just an edge case that the future will prevent.
  What if they aren't malicious? I mean, WebKit SVN is down not because a developer wanted to try it, but because they were submitting a test case. A test case meant to verify that WebKit's caching algorithms aren't vulnerable to a SHA-1 collision.
  And in checking in this test case, he inadvertently broke the entire repository. It's completely possible he wasn't aware how SVN works internally that such a test case could break the repo as well.
  There's right now a worry that the master repository is irrepairable - that because of this checkin, you cannot repair it - the only way to recover is to restore it from a backup.
15. Re:"In the wild" - slight exaggeration by Bob+the+Super+Hamste · 2017-02-27 05:04 · Score: 1
  
  It means that collisions are now possible, and are within reach of moderate sized organizations.
  This is the key. 6500 CPU years or 110 GPU years of computational power is not that difficult to achieve. When this news broke last week a few of us at my work had a discussion about it and while those number sound impressive we then realized that at work we have access to probably 2x that processing power in our building.
  
  --
  Time to offend someone
16. Re:"In the wild" - slight exaggeration by Aighearach · 2017-02-27 06:24 · Score: 1
  
  None of that has meaning or value.
  This doesn't crash anything, and a test case meant to do some shit that it doesn't do well doesn't cause a problem other than for that test case. There is no bad thing happening in your story, just somebody has some shitty code.
  Then you wave your hands and say, "he inadvertently broke the entire repository."
  There is no worry that repositories would, or even might, or even could, because irreparable. That's just making shit up wildly. The speculation in the stories were going into a much more detailed scenario that does involve a malicious actor. Misunderstanding the danger doesn't cause it to change.
Re:FINALLY! by espenskaufel · 2017-02-26 09:52 · Score: 1

When did "Doing exactly what you want in an intuitive way is a basic function of any software.”? I thought that was the holy grail of software. I have still not used one source control system that I found hard to use and in my experience git-repos get messed-up more often than others (might be because they are the most common). Some devs seems to have problem understanding remotes and rebase.
Re:FINALLY! by espenskaufel · 2017-02-26 09:56 · Score: 1

You are probably right :)
Re:sha1 by jellomizer · 2017-02-26 10:36 · Score: 1

Because it was good once. Better than MD5. Changing it can break a lot of compatibility. So they don't change it.
If you are keeping software running over a long time. You need to balance compatibility, Security and maintainable design. Otherwise such projects will take decades to develop and be out of date on release.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Re:FINALLY! by thegarbz · 2017-02-26 10:52 · Score: 1

I wonder if carpenters feel the same way about hammers
Hahahah tip of the iceberg. I saw two carpenters on my house arguing about who had better screwdrivers. Yes people most definitely do.
Reading the paper. What is in an exponent?? by TheNarrator · 2017-02-26 11:35 · Score: 1

I am trying to read their paper on the sha1 collisions over here: https://shattered.io/static/sh... and there's some unusual equation stuff.
mi = (mi3 mi8 mi14 mi16)1
Can anyone explain that to me in english?
Re:Reading the paper. What is in an exponent?? by TheNarrator · 2017-02-26 11:38 · Score: 1

Ah dam. My unicode got munged by the slashdot anti garbage filter. Should have hit preview first!
Anyway the symbol I was referencing is a circular arrow pointing in a clockwise direction that looks like the images on this page: https://en.wikipedia.org/wiki/... . I've never seen that in a paper. What does it mean when it's in an exponent?
Re:Reading the paper. What is in an exponent?? by cryptizard · 2017-02-26 12:06 · Score: 3, Informative

It is a bitwise rotation. The direction and number specify if it is a right or left rotation and then how many bits to rotate.
SHA-1 in git and co by DrYak · 2017-02-26 12:12 · Score: 1

A cryptographic hash function has the properties you mention, plus the fact that it must not be easily reversible and uniformly distribute results over its entire output space.

The later is a property which is not guaranteed by most common checksums.
Thus, when you need a hash function to give a number to use as a handy "nickname" for a collection of data (e.g.: for a hash look-up table. Or for a content-addressable like git to create said addresses for a given content - and thus to give a serial number to a commit. Or apparently also used in SVN to give a simple number to designate commits), it might be a good choice to pick-up a cryptographic hash like SHA-1 because it guarantees you this additional property, which a vanilla checksum could lack.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
GIT by DrYak · 2017-02-26 12:41 · Score: 3, Interesting

Does the Git usage of SHA-1 *really* cause silent problems? I'm not sure how Git works internally but I was under the impression that it hashes whole objects, like individual source files at least.
The individual objects inside git aren't file.
The individual objects are commits (i.e..: the content of a patchfile, and a few information like pointer to other past commits to which this patch applies).
To make things easier, a handy number designates this commit - this is currently generated by SHA-1.
(Git is a content-addressable platform. You don't access object by name, you access them depending on their content. But instead of using the whole content to access them, you use addresses generated by SHA-1 to access the various blocks.
So to say which are the parent commits to which the patch in a commit applies, you just mention them by using the SHA-1 sum of the content of these commits).
A theoretical attack would be:
- try to generate 2 commits.
one adds a clean piece of code. the other adds a backdoored piece of code.
but both commits hash to the same SHA-1 so they would be considered as "the same content" by git.
Then try to force your target to re-download the whole repo from scratch from your backdoored history (otherwise git will simply ignore the commits with sha-1 sum that it already has - it thinks that it has the same content already).
In practice it's currently not doable.
The only thing that google managed to generate is a pair of block series. Each series contain completely random junk. Both series end-up generating the exact same shasum even if the random junk is different.
- That is exploitable in a PDF (or any other binary format that supports scripting. You could even do it in an EXE) : using the embed scripting present 2 different contents depending on which random junk is present.
- That is not exploitable in a sourcecode commit : you would need a believable explanation for why the random junk is present in the patched source code.
AND you would need a piece of code which reacts differently (normal vs. backdoor) depending on which random junk is present - to be able to pull that unnoticed would require "Underhanded C Contest"-level of ingenuity.
That's it, you only have blocks of random garbage.
Google currently can't produce hashes colliding from arbitrary pieces of data ("Hey google: here's is legit script A, and that's malicious script B. Add a small nonce at the end so they both end-up having the same sha-1sum") ("Actually don't add a nonce, that would be too conspicuous, try to tweak the punctuation in the comments instead")
Also as you mention, further edits will be problematic :
if I edit script A and submit a patch, this patch will be valid, but will completely fail on top of script B.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Hash Functions 101 by FeelGood314 · 2017-02-26 12:45 · Score: 4, Informative

A hash function takes an arbitrary string of bits and outputs a string of bits of a fixed length.
A CRC is an example of a hash function and a long CRC would probably be good enough for GIT or most repositories.
First Pre-image resistance - this is a test of the one wayness of the function. Given a hash value it is difficult to find a pre-image that hashes to that value. Given y a string of bits of length hash output length finding X such that h(X) = y is hard.MD-5 and SHA-1 are still resilient against first pre-image attacks
Second Pre-image resistance - given a message X finding a Y such that h(X)=h(Y) is difficult. MD-5 and SHA-1 are still resilient against second pre-image attacks
Collision resistant - It is hard to find two messages X and Y such that h(X) = h(Y). Note the attacker here is free to choose both X and Y. Both MD-5 and SHA-1 are no-longer collision resistant.

So far however the two messages X and Y have to be nearly identical. They have to start and end the same way and the blocks that are changed actually have to be changed and tested together to make sure the hash function internal state changes only in a specific way. I can't create a document that says the rent will be $3000 per month and another that says it will be $30000. (I might create one that says it is $3149.21 and the other $53210.63 per month, like in the PDF example they played with a colour field). Also because of the way the internal state of the hash function changes we now have a way of detecting if someone is feeding a "funny" stream of bits into our hash function and detect this attack with a very low probability of a false positive.
1. Re:Hash Functions 101 by FeelGood314 · 2017-02-26 14:14 · Score: 2
  
  This still can be weaponized. Even if I only have two bit streams that start the same and then only differ in a block that I couldn't control I can still create malicious executables. Once I have the two streams that collide as long as the bits I add to both streams are identical the hashes will remain identical. I then have code after the differing block(s) that checks a value of a field in the differing blocks and behaves differently based on this value. I now have a good executable that is well behaved that I can submit to be signed by Microsoft or some other trusted company and a bad piece of software that has the same hash value. I take the valid signature from the good software and append it to the bad software and the signature remains valid.
Re:FINALLY! by phantomfive · 2017-02-26 16:56 · Score: 1

I wonder if carpenters feel the same way about hammers or if developers are just way to opinionated...
Yeah, typical carpenter hammer arguments:

*) Hammer weight (usually 16-24oz for house framing)
*) Handle type (wood? Fiberglass? (fiberglass hammers suck tbh))
*) Is the face of the hammer smooth or textured?

--
"First they came for the slanderers and i said nothing."
Re:I have no faith in cryptography, because.. by Bob+the+Super+Hamste · 2017-02-27 05:43 · Score: 1

Considering that several years ago everyone was told to move away from SHA1 as it wasn't considered secure given the at the time theoretical attacks this shouldn't come as a surprise. NIST has been very open about the process as of late with the AES process and more recently the SHA3 process. Even though no known issues exist with the SHA2 suite of hashes they were proactive in going forward with the SHA3 process because SHA2 is mathematically similar to SHA1 so it may be possible to have related attacks against the various SHA2 hashes. I would question anything that is just dropped wholesale from the government like the whole botched EC crypto, and then there was thae long standing questions about the DES S-Boxes that while it turned out were strengthened against differential attacks but no explanation was given as to why at the time. Even now the full set of parameters used for them haven't been provided.

--
Time to offend someone
Re:about hash functions by Lisandro · 2017-02-27 07:31 · Score: 1

It seems obvious to me that a small string sequence could be identical from two differents long original texts. Even it happend, the hash function is NOT the original message, and a collision could happen. It does'nt mean that the two original texts are the same.
Am i right ?
Yes. A hash is nothing more than a function mapping data of arbitrary size to an output of fixed, smaller size so by definition you can always construct two inputs which yield the same hash. What makes crypto hashes secure is that this is normally very, very hard to do - that is, given a hash generate an input from it.