SHA-1 cracked, are your GIT archives vulnerable to attacks?

Recently it was announced that SHA-1 signatures are now susceptible to collision attacks (source).

As GIT uses SHA-1 signatures to uniquely identify objects you might ask yourself if it is still safe to store objects in your GIT code archive.

Let’s find out!

First, SHA-1 signatures are used in GIT to ensure data integrity and consistency to detect corruption by DRAM or disks etc.

However, it was never implemented as a security feature to keep attackers out. For that purpose other mechanism have been implemented in GIT: signed commits.

While in 2012 it was predicted it would take approx. $2.7M (source) to break a single hash value it can now (fall 2015) be done with a budget of $100.000 by renting CPU from a cloud provider like Amazon EC2.

If you are curious how a SHA-1 hash of an object or text string looks like you can do this by executing the following line in a DOS command window:

D:\>echo '' | git hash-object --stdin

Now, let’s assume the attacker is attacking a remote repository.

When the attacker has access to a local repository there are probably much easier and cheaper ways to inject code into a GIT repository, so this is the logical scenario.

The attacker created a file containing malicious code with an identical SHA-1 and committed it to the remote repository.

Now what happens is that the new object will not be created!

Since the malicious file that the hacker wants to inject  has the same SHA-1 has the original file in your repository the commit or GIT index ends up pointing  to the old object.

GIT thinks you have committed the same object as it has an identical SHA-1 hash.

Bottom line is that SHA-1 collisions are not very relevant for existing GIT repositories. Use signed commit messages for extra security instead.


Over Mark de Bont
Dit bericht werd geplaatst in Geen categorie en getagged met . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )


Verbinden met %s