diff options
author | Marc Stevens <marc@marc-stevens.nl> | 2017-02-21 15:37:43 +0100 |
---|---|---|
committer | Marc Stevens <marc@marc-stevens.nl> | 2017-02-21 15:37:43 +0100 |
commit | 40ccf5e3537ff6b2e5ceac5747f376a2ef430bec (patch) | |
tree | 48af0177407152a555fb928d9f540ab488ac5440 | |
parent | 7f8db79a8785790af00d33794ba20db237929b68 (diff) | |
parent | 8f326708d3f3cd312a748dbe84ec97a83875c156 (diff) | |
download | sha1collisiondetection-40ccf5e3537ff6b2e5ceac5747f376a2ef430bec.tar.gz |
Merged branch master into master
-rw-r--r-- | README.md | 71 |
1 files changed, 71 insertions, 0 deletions
@@ -1,2 +1,73 @@ # sha1collisiondetection Library and command line tool to detect SHA-1 collisions in files + +Copyright 2017 Marc Stevens <marc@marc-stevens.nl> + +Distributed under the MIT Software License. + +See accompanying file LICENSE.txt or copy at https://opensource.org/licenses/MIT. + +## Developers + +- Marc Stevens, CWI Amsterdam (https://marc-stevens.nl) +- Dan Shumow, Microsoft Research (https://www.microsoft.com/en-us/research/people/danshu/) + +## About +This library and command line tool were designed as near drop-in replacements for common SHA-1 libraries and sha1sum. +They will compute the SHA-1 hash of any given file and additionally will detect cryptanalytic collision attacks against SHA-1 present in each file. It is very fast and takes less than twice the amount of time as regular SHA-1. + +More specifically they will detect any cryptanalytic collision attack against SHA-1 using any of the top 32 SHA-1 disturbance vectors with probability 1: +``` + I(43,0), I(44,0), I(45,0), I(46,0), I(47,0), I(48,0), I(49,0), I(50,0), I(51,0), I(52,0), + I(46,2), I(47,2), I(48,2), I(49,2), I(50,2), I(51,2), + II(45,0), II(46,0), II(47,0), II(48,0), II(49,0), II(50,0), II(51,0), II(52,0), II(53,0), II(54,0), II(55,0), II(56,0), + II(46,2), II(49,2), II(50,2), II(51,2) +``` +The possibility of false positives can be neglected as the probability is smaller than 2^-90. + +The library supports both an indicator flag that applications can check and act on, as well as a special _safe-hash_ mode that returns the real SHA-1 hash when no collision was detected and a different _safe_ hash when a collision was detected. +Colliding files will have the same SHA-1 hash, but will have different unpredictable safe-hashes. +This essentially enables protection of applications against SHA-1 collisions with no further changes in the application, e.g., digital signature forgeries based on SHA-1 collisions automatically become invalid. + +For the theoretical explanation of collision detection see the award-winning paper on _Counter-Cryptanalysis_: + +Counter-cryptanalysis, Marc Stevens, CRYPTO 2013, Lecture Notes in Computer Science, vol. 8042, Springer, 2013, pp. 129-146, +https://marc-stevens.nl/research/papers/C13-S.pdf + +## Compiling + +Run: +``` +make +``` + +## Command-line usage + +There are two programs `bin/sha1dc` and `bin/sha1dc_partialcoll`. +The first program `bin/sha1dc` will detect and warn for files that were generated with a cryptanalytic SHA-1 collision attack (of which there are no public examples so far). +The second program `bin/sha1dc_partialcoll` will detect and warn for files that were generated with a cryptanalytic collision attack against reduced-round SHA-1 (of which there are a few examples so far). + +Examples: +``` +bin/sha1dc test/sha1_reducedsha_coll.bin +bin/sha1dc_partialcoll test/sha1reducedsha_coll.bin +``` + +## Library usage + +See the documentation in `lib/sha1.h`. Here is a simple example code snippet: +``` +#include <sha1dc/sha1.h> + +SHA1_CTX ctx; +unsigned char hash[20]; +SHA1DCInit(&ctx); +// SHA1DCSetSafeHash(&ctx, 0); // disable safe-hash mode (safe-hash mode is enabled by default) +SHA1DCUpdate(&ctx, buffer, (unsigned)(size)); +int iscoll = SHA1DCFinal(hash,&ctx); +if (iscoll) + printf("collision detected"); +else + printf("no collision detected"); +``` + |