Date: Tue, 26 Jun 2012 17:28:21 +0400 From: Solar Designer <solar@...nwall.com> To: "Andries E. Brouwer" <Andries.Brouwer@....nl> Cc: john-dev@...ts.openwall.com, Tavis Ormandy <taviso@...xchg8b.com> Subject: Re: raw-sha1_li Andries - Thank you for reporting this issue to us. All - please note that Andries is not subscribed, so please keep him CC'ed on replies. Ditto for Tavis (CC'ed here). On Tue, Jun 26, 2012 at 12:12:00PM +0200, Andries E. Brouwer wrote: > There are two entirely different hashes: > 1. raw-sha1 > 2. raw-sha1 followed by zeroing the first 20 bits > > They should have different names since they differ. > For example, the linkedin dump contains the hashes > > a96807e7bd710592ee36264a72d6aa35c2d165f9 > 000007e7bd710592ee36264a72d6aa35c2d165f9 > > Now sunshine09 has sha1sum > > 3b1787e7bd710592ee36264a72d6aa35c2d165f9 > > so that it qualifies for the second hash, but not for the first one. That's a curious discovery. It pretty much implies that the a96807e7bd710592ee36264a72d6aa35c2d165f9 hash in the dump is not valid (has its first 20 bits overwritten with non-zeroes), because it is unrealistic that we hit a true 140-bit SHA-1 collision without even trying to trigger that. Tavis - what was the closest SHA-1 near-collision that you managed to hit? And the closest for sequential bits (like 140 in a row that we have here, rather than 140 scattered throughout the 160)? > This means that raw-sha1 and raw-sha1_LI must be kept separate. > It also means that it is a bad idea to call them both $dynamic_26$. Not necessarily. Thanks again, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.