Hacker News new | ask | show | jobs
by jstanley 3285 days ago
The code sets up a sha256 state, then adds some input to sha256, and then demonstrates that the sha256 state is the same as it was.

I'd say that counts as a vulnerability. It doesn't mean sha256 is broken, but it's a vulnerability.

EDIT: All of this modulo a rigged sha256.py, of course
2 comments
lisper 3285 days ago
Yes, but the rigged sha256 seems to produce the same results as a real sha256. And there's nothing obviously hinky in the code that I can see on cursory inspection. If this is rigged, it's rigged in a particularly clever way.

[UPDATE] Turns out this is not a vulnerability at all:

https://crypto.stackexchange.com/questions/48580/fixed-point...

link
user5994461 3285 days ago
You can google for existing sha256 collisions, nothing special in hard coding one.

Google it and you'll find the source, if it's a popular collision already published in papers.

link
lisper 3285 days ago
I think you're confusing SHA256 with SHA1.
link