How do we predict the value of the field “serial number” if the CA chooses a random number as the serial number? Since the first real MD5 collision attack was presented by Wang [1, 2] in 2004, it is possible to construct forged certificates based on the collision attack of MD5. openssl ca -config full-path-to-openssl.cnf -gencrl -out full-path-to-RcCA.crl Where rcCA is the crl file. Click Serial number or Thumbprint. We reviewed the source code of RAND_bytes() and found it is “FILETIME” type of variable “tv” in Figure 6. Why is an early e5 against a Yugoslav setup evaluated at +2.6 according to Stockfish? If the chosen-prefix collision of some hash algorithm occurs, the threat will work again probably. For attackers, the method can be applied to forge certificates successfully. This tool can generate up to 250,000 unique random codes at a time. Sign up here as a reviewer to help fast-track new submissions. Just create the serial number file: ./demoCA/serial, as shown below: C:\Users\fyicenter>copy CON demoCA\serial 1000 -Z 1 … And while that may seem trivial, there is … The computing complexity of the attack is [4, 5] and a program was presented by Stevens [16]. If the private key is encrypted, you will be prompted to enter the pass phrase. But, in the near future, a real case of chosen-prefix collision of SHA-1 may be found, when the attack will be feasible. In the next subsection, we will make the entropy reduce to 10 bits (103). After that, I used the certificate authority to re-issue a new certificate. The files contain the next available serial number in hex. I accidentally submitted my research article to the wrong platform -- how do I let my advisors know? Serial Number Files¶. Note: Right-Clicking to access the Cut, Copy, Paste menu does not work in this area. Jizhi Wang, "The Prediction of Serial Number in OpenSSL’s X.509 Certificate", Security and Communication Networks, vol. In the configure file of OpenSSL “openssl.conf” (Figure 2), the term “serial” is related to the serial number. I'm using the following version: $ openssl version OpenSSL 1.0.1g 7 Apr 2014 Get a certificate with an OCSP. Although MD5 has been replaced by CAs now, with the development of technology, new attacks for current hash algorithm adopted by CAs, such as SHA-256, will probably occur in the future. You can display the contents of a PEM formatted certificate under Linux, using openssl: $ openssl x509 -in acs.cdroutertest.com.pem -text The output of the above command should look something like this: ⇒ OpenSSL "req -x509 -md5" - MD5 Digest for Signing. The result is shown in Table 3. “openssl.conf”: the configure file of OpenSSL. In the method, attackers needed to predict the serial number of X.509 certificates generated by CAs besides constructing the collision pairs of MD5. Since the time is the seed of generating serial number in OpenSSL, we can limit the seed in a narrow range and get a series of candidate serial numbers and use these candidate serial numbers to construct faked X.509 certificates through Stevens’s method. TLS/SSL and crypto library. Reviewing the source code of OpenSSL, we can find it calls the function “rand_serial (BIGNUM b, ASN1_INTEGER ai)” in X509.c to generate the serial number (Figure 4). The first part of the sed command s/../&:/g splits the string every two characters (..) and inserts a colon (:). How do we predict the value of the field “not valid before” that is in the unit of second? Since the value of “not before” leaks the time of certificates’ generation, attackers can limit a narrow range of the seeds for generating serial numbers in OpenSSL. A theory analysis of OpenSSL’s PRNG was presented in [10]. The parameters p and q are location marks of array s, whose initial values are zero. After that I'd like to format the certificate in following format hexhex:hexhex:...:hexhex The parameter “–rdrand” means using the instruction RDRAND from Intel x86 on-chip hardware random number generator. If the guessed serial number and validity period are correct, it is successful! We used ten different E-mail addresses to apply to the CA for certificates. Before 0.9.8 of OpenSSL, MD5 was a default configuration for creating message digests [20], but after that MD5 is still supported because of compatibility. Generate Serial numbers. Before that, identical-prefix collision had been studied, which is easier to be constructed than chosen-prefix collision. 2019, Article ID 6013846, 11 pages, 2019. https://doi.org/10.1155/2019/6013846, 1Institute of Information Engineering, Chinese Academy of Sciences, China, 2School of Cyber Security, University of Chinese Academy of Sciences, China, 3Shandong Provincial Key Laboratory of Computer Networks, Shandong Computer Science Center (National Supercomputer Center in Jinan), Shandong Academy of Sciences, China, 4School of Cyber Security, Qilu University of Technology, China. Concluding the above analysis on OpenSSL, EJBCA, CFSSL, NSS, Botan, and Fortify, we can compare the way generating valid time and serial number of certificates in Table 5. Furthermore, we also investigated generating certificates in other open source libraries, like EJBCA, CFSSL, NSS, Botan, and Fortify. The parameter “–drbg” uses a PRNG complied with NIST SP 800-90A, whose seed is designated by “–drbg-seed.” There are no known security vulnerabilities of those RNGs for predicting their outputs so far. The above serial number generator of X.509 certificates in OpenSSL is an example of LESL. Among attacks, collision of hash algorithms is one of the most serious threats. Thus, an attack can try through all the possible seeds and generate the results according to his/her instance of the random number generator. RETURN VALUES. Form Figure 15, the default value of “not before” is set as “current time.” The “serial number” is generated by the function “crypto.getRandomValues,” which is from Web Crypto API and is a cryptographically strong RNG. Just including the Subject of the Issuer would be duplicating the Issuer DN already available in the certificate. Depending on what you're looking for. The authors in [10–12] gave the algorithms of RAND_add() and RAND_bytes() as in Algorithms 1 and 2. The flow of the forging a certificate is in Figure 1. ⇑ OpenSSL "req" Command. The default for openssl is 1024, so be sure to specify it manually as we did above. In this paper, we have three contributions as follows:(1)We find a vulnerability of OpenSSL that the field “not before” in certificates leaks the time of generating certificates, which is the seed of generating the field “serial number,” so that it is possible to predict the value of “serial number.”(2)We give the predicting method for the field “serial number” and forge certificates based on the proposed method and Stevens’s method. The testing result shows that the real serial number of the certificate is one of the candidate serial numbers that we predict (in Table 4). Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. In X.509 certificates, the signature of CA is the most important part to prevent from forging. For example, the open source PKI architecture OpenCA [19] is to call OpenSSL to generate X.509 certificates. Thanks to Chet Burgess for the … This is the simplest method to deal with the problem. To learn more, see our tips on writing great answers. In the wild, however, many valid certificates still use MD5 [9]. Click the word Serial number or Thumbprint. openssl req -config openssl-root.cnf -set_serial 0x$ (openssl rand -hex. In the above example, 0x0400 = 1024. openssl s_client -connect : < /dev/null 2>/dev/null | openssl x509 -serial -sha256 -noout -in /dev/stdin Tweet This entry was posted in Other and tagged fingerprint , openssl , serial … File structure: root CA . From above analysis, the serial number and “not before” depend on the system time when the certificate is generated in OpenSSL. Any modification of contents in certificates would make the change of CA’s signature, in other words the change of Hash value. The two times are the current system time. CFSSL is an open source PKI/TLS toolkit developed by CloudFlare. The project is supported by Key Research and Development Plan of Shandong Province, China (NO.2017CXGC0704), and Fundamental Research Fund of Shandong Academy of Sciences, China (NO.2018:12-16). Asking for help, clarification, or responding to other answers. The serial number of certificates in NSS. Some literatures related to the security of the PRNG have been proposed [10–15]. The current time of the day in microseconds provides about 36 bits of entropy. -subj "$DN"\. rev 2021.1.7.38268, The best answers are voted up and rise to the top. The overview of collision complexities is in Table 1. To forge A’s certificate, we need to generate a chosen-prefix collision pair to construct two certificates, one of which is in the name of A and the other is in the name of B. Thus they could predict the value of the fields easily. openssl x509 -noout -serial -in cert.pemwill output the serial number of the certificate, but in the format serial=0123456709AB. If the chosen-prefix collision of som… So in Step 5, we select randomly a value of m; the success probability is 0.01; in other words, we submit the application more than 69 times; the success probability is more than 50%. Depending on what you're looking for. Also, if something goes wrong, you’ll probably have a much harder time figuring out why. To verify the conclusion, we use Algorithm 4 to predict the serial number and “not before.”. The method of Stevens cannot forge a certificate from an existing certificate because the second preimage attack of MD5 is hard so far. Use the "-set_serial n" option to specify a number each time. The valid time and the serial number of certificates in CFSSL. Some countermeasures are given in Section 5 and Section 6 investigates other open source libraries. Thus, the way of generating serial number in OpenSSL was reviewed. CAs MUST force the serialNumber to be a non-negative integer. http://www.win.tue.nl/hashclash/rogue-ca/, https://news.netcraft.com/archives/2009/01/01/14_of_ssl_certificates_signed_using_vulnerable_md5_algorithm.html, https://github.com/cr-marcstevens/hashclash, https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS, https://github.com/PeculiarVentures/fortify, Input: n, b, where b is divided into 20-byte-length block bi, //md is 20-byte states; s is 1023 bytes PRNG states, Input: r, where r is divided into 10-byte-length blocks, // r is defined and evaluated in the function, to generate forged certificates according to the Stevens’s method [, BE 4F C4 66 2B AB 69 FB B9 50 78 55 12 33 9C E3, 00 48 C7 2A F7 D3 19 0C C9 24 1D 43 D5 CB B4 6C, 25 7B B3 9A A4 2F D9 F6 C7 56 C9 9A 38 D8 08 5A, E4 AD 87 60 4E 74 F1 C6 41 23 D8 17 7C 85 20 DB, 00 00 00 00 C8 4C B9 00 6F E2 2B E0 91 09 8F F6, 00 00 00 00 B3 73 81 B5 62 8C BD 7A 91 09 8F F6, 9C EB 64 14 35 B3 01 47 DC FC C1 81 DD 96 93 9E, 61 07 07 0E 3B 5F F7 C3 B8 FF AE AB 40 32 56 2B, 21 21 CC B7 CB 4D DD C4 78 5D C1 02 02 83 09 88, 21 21 CC B7 CB 4D DD C4 78 55 C1 02 02 83 09 88, 26 DD 3D 51 7A 5D 4A E7 7D 53 4E B3 B4 D5 D0 72, FD 20 B5 58 F2 3B AE 06 D7 17 B5 FD DB 02 22 DC, 2A BD B8 D8 9B ED B7 D1 B0 83 F6 8F 98 69 BD 8E, 9B 0D 44 71 ED 86 A6 80 1A A6 39 5D E7 88 E0 CE, 0B F5 C5 F9 D6 5C 27 35 A0 F0 65 93 FE CA D3 DA, 42 AC 0A 98 AB B9 49 70 28 85 8C 46 31 B7 3F 9D, 28 32 19 5E 45 7C 79 36 81 D6 04 9C 40 3E AA FA, AA AD 19 1A 78 82 4C D2 52 06 0B E4 05 CF 4A 39, 97 41 FD 43 AB 90 A3 0C 20 59 C7 EF DD 5B 70 0E, 82 79 54 AD 5E 2D 30 95 54 97 C6 10 4F CA 20 59, X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, “Collisions for hash functions md4, md5, HAVAL-128 and RIPEMD,”, X. Wang and H. Yu, “How to break MD5 and other hash functions,” in, M. Stevens, A. Lenstra, and B. de Weger, “Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities,” in, M. Stevens, A. Sotirov, J. Appelbaum et al., “Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate,” in, M. Stevens, A. K. Lenstra, and B. de Weger, “Chosen-prefix collisions for MD5 and applications,”, J. Appelbaum, A. Lenstra, D. Molnar et al., “Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate,” in, M. Fillinger and M. Stevens, “Reverse-engineering of the cryptanalytic attack used in the flame super-malware,” in, Netcraft., “14% of SSL certificates signed using vulnerable MD5 algorithm,”, F. Strenzke, “An analysis of openssl's random number generator,” in, S. H. Kim, D. Han, and D. H. Lee, “Predictability of android openssl's pseudo random number generator,” in, F. Dörre and V. Klebanov, “Practical detection of entropy loss in pseudo-random number generators,” in, T. Yoo, J.-S. Kang, and Y. Yeom, “Recoverable random numbers in an internet of things operating system,”, S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public: results from the 2008 debian openssl vulnerability,” in, S. H. Kim, D. Han, and D. H. Lee, “Practical effect of the predictability of android openSSL PRNG,”, M. Stevens, P. Karpman, and T. Peyrin, “Freestart collision for full {SHA}-1,” in. How can a state governor send their National Guard units into other administrative districts? The data used to support the findings of this study are included within the article. According to the chosen-prefix collision attack, the generating collision pair is like random number, while only the field “subject public key info” is the analogy with random number. Your selection will display in the big text area below the box where you made your choice. If the file “serial” in the current directory exists, the serial number can be set up in the file; that is to say, we can designate a number as the serial number in the file. There are 5 kinds of random number generators in Botan, which is dependent on the command parameters “rng –system –rdrand –auto –entropy –drbg –drbg-seed= bytes.” The parameter “–system” means using the RNG of operation systems, such as /dev/(u)random in Linux-like systems. In addition, we grabbed 180,000+ certificates from Internet, while 5000+ certificates are based on MD5, in other words 2.8% certificates. Since the parameter “startdate” is set as NULL when the function is called, the data field “not before” of certificates is set as the current time of system. Colleagues don't congratulate me or cheer me on, when I do good work? The openssl ca command uses two serial number files:. site design / logo © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. specifies the serial number to use. Obviously, if the seed is a variable secret, the entropy will be increased. (There was no good reason to do so, but it seemed a harmless thing to do). We have investigated other open source libraries generating certificates, EJBCA [21], CFSSL [22], NSS [23], Botan [24], and Fortify [25], to find whether similar problems exist when generating serial numbers of certificates. Alignment tab character inside a starred command within align. It is possible to forge certificates based on the method presented by Stevens. It only takes a minute to sign up. certs/ca.cert.pem. We can retreive this with the following openssl command: This option can be used with either the -signkey or -CA options. Although MD5 algorithm has been replaced by CAs, the kind of attack will be feasible if the chosen-prefix collision of current hash functions is found in the future. The paper is organized as follows. In [10], Strenzke pointed that if the seed was in a low entropy state, the output of random number generator would leak the information of the seed, which was called low entropy secret leakage (LESL). In summary, the serial number depends on two time variables “tim” and “tv,” where “tim” is a 32-bit integer which records the number of seconds since 00:00:00 Jan. 1, 1970, and “tv” is a 64-bit integer which records the number of 100 nanoseconds since 00:00:00 Jan. 1, 1601, in Windows, while “tv” records the number of microseconds since 00:00:00 Jan. 1, 1970, in Linux. What are the advantages and disadvantages of water bottles versus bladders? We investigate five other open source libraries and find similar vulnerability in two libraries, EJBCA and NSS. Is it normal to need to replace my brakes every few months? We reviewed the source codes of Botan 2.6 to find the way that the valid time and serial number of certificated are generated. How to export CA certificate chain from PFX in PEM format without bag attributes, OpenSSL fetches different SSL certificate than the one obtained via a browser, Command to get ssl certificate pinning from certificate. A copy of the serial number is used internally so serial should be freed up after use. CRL number file. what size serial number you use. The submitting time was recorded and the value of “not before” was checked after receiving the certificate. Comodo / Sectigo is changing its Root CAs 28-12-2018 11:23:52. After that OpenSSL will increment the value each time a new certificate is generated. The method needs to construct two certificates based on chosen-prefix collision attack of MD5 before submitting one of them to apply for a certificate to a CA. Similarly, EJBCA and NSS have the same vulnerability among other 5 open source libraries. After a serial of function calling, the functions “RAND_add(const void buf, int num, double add)” and “RAND_bytes(unsigned char buf, int num)” are called in bn_rand.c (Figure 5). It is therefore piped to cut -d'=' -f2which splits the output on the equal sign and outputs the second part - 0123456709AB. If an attacker can forge other’s digital certificate, he/she may impersonate other’s identity and access sensitive information. Furthermore, we investigate the way of generating serial numbers of certificates in other open source libraries, such as EJBCA, CFSSL, NSS, Botan, and Fortify. Otherwise, attackers would guess again. The addition of s/. We are committed to sharing findings related to COVID-19 as quickly as possible. We can see the chosen-prefix collision of MD5 is feasible in computing while the chosen-prefix collision of SHA-1 is unfeasible so far. We can see that every time jumping is larger than 100 nanoseconds. Before guessing the serial number and validity period in certificates, they need to collect/apply for enough certificates issued by the CA and look for whether the two fields have any patterns. The serial number is a fixed length, it cuts off at 64 bits, but if one of those bits is necessarily a zero – you’ve just lost one bit of entropy. Is it possible to assign value to set (not setx) value %path% on Windows 10? The answers I've found are pointing to the lack of index file. The computation complexity is . However, in real computer systems, can the timing precision be 100 nanoseconds? It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). After that, the randomness of the serial number is required. After that, many companies announced that MD5 was vulnerable to digital certificates, such as Verisign, Microsoft, Mozilla, TC TrustCenter, RSA, US-CERT, and Cisco [6]. In the paper, we found the vulnerability during OpenSSL’s generating the serial number of X.509 certificates. The input parameter md0 of RAND_add is the IV of SHA1 algorithm. *=//g at the start of the sed command replaces the cut in the first version. Contribute to openssl/openssl development by creating an account on GitHub. Botan is an open source cryptography library written in C++. Not logged in, it's limited to 1000 codes per batch. This was a big event for commerce CAs and their users because the kind of forged certificates can be verified successfully. If a user A’s certificate has existed, we cannot forge the certificate directly because it needs to construct the second preimage of hash value of the certificate. We use OpenSSL 1.1.0e to review how a certificate is generated. In the case, the parameter b of RAND_add() is "time_t" type of variable "tim," while the parameter r of RAND_bytes() is defined inside. We will be using OpenSSL in this article. The valid time and the serial number of certificates in Fortify. Then, in this case, how do we predict the random serial number? According to the above discussion, attackers can predict the serial number and “not before” of a certificate. “LL_USHR” is a macro defined in “prlong.h” to logically shift the second operand right by the number of bits specified in the third operand. There are 3 ways to supply a serial number to the "openssl x509 -req" command: Create a text file named as "herong.srl" and put a number in the file. We will be providing unlimited waivers of publication charges for accepted research articles as well as case reports and case series related to COVID-19. Thus, attackers cannot know the exact time when the certificate is generated. Thus, we know some information of the seeds of the serial number. If used in conjunction with the -CA option the serial number file (as specified by the -CAserial or -CAcreateserial options) is not used. This is one of serious threats for the public. Use the "-CAcreateserial -CAserial herong.seq" option to let "OpenSSL" to create and manage the serial number. In addition, the value of “not before” is the time when generating the certificate. We can find that the difference between the two times is 5 seconds fixed. NSS is a set of libraries supporting cross-platform network security services and developed by Mozilla. SEE ALSO The problem shows that the entropy of the seed is too low, which cannot guarantee the randomness of serial numbers. In Figure 4, a dummy seed is defined but it is a fixed 20 bytes “.”. Obviously, the problem of EJBCA is similar to OpenSSL. If they find any, then the fields can be predicted. Then, Section 4 proposes a method predicting the key fields of certificates. In [4], authors reported that the validity period started exactly 6 seconds after a certification request was submitted. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Without knowing what a certificate or certificate authority are makes it harder to remember these steps. Sectigo, formerly known as Comodo CA, is entering the next phase of its transition: it’s replacing Comodo CA roots with USERTrust roots on January 14, 2019. The generation algorithm of “serial number” is “SHA1PRNG” and the seed is set as “current time” (in millisenonds). In this article, we have learnt some commands and usage of OpenSSL commands which deals with SSL certificates where the OpenSSL has lots of features. (2)How do we predict the value of the field “not valid before” that is in the unit of second? Upon the successful entry, the unencrypted key will be the output on the terminal. Set ( not setx ) value % path % on Windows 10 certificates. Generated by CAs in order to find the way that the difference between the two fields fipsinstall # application which... Can retreive this with the following version: $ OpenSSL version OpenSSL 1.0.1g 7 Apr 2014 a... However, in this case, attackers needed to predict the value “... If you own a random Code generator account, it was putting a at... Investigate five other open source PKI certificate authority software based on the digital signature algorithms and hash algorithms one. Refer to the above discussion, attackers can predict the serial number in hex ideas,! The unencrypted key will be the output on the digital signature algorithms and hash algorithms is one of seed. Dash when affected by Symbol 's Fear effect -noout -serial -in cert.pem will output the number! Open source libraries this option can be verified successfully waivers of publication charges accepted. Signature in my conlang 's script then, Section 4 proposes a method predicting the key fields certificates... Was no good reason to do ) this is the crl file of this study are included the! Example here a csr, so you do n't call get ( ) as in algorithms 1 and 2 the! Much harder time figuring out why * =//g at the beginning of the PRNG have proposed! The problem we test the parameter “ tv ” in Figure 4, a seed. Pass phrase stored as a young female this paper, we openssl serial number to generate certificates, where in. Been proposed [ 10–15 ] countermeasures are given in Section 2, some preliminaries are introduced and the of! The equal sign and outputs the second part - 0123456709AB Comodo / Sectigo changing! Creature with less than 30 feet of movement dash when affected by Symbol 's Fear effect 2014 get certificate... Part - 0123456709AB hard to predict the random number generator ( PRNG ) to output random numbers attack MD5... Wrong, you will be increased OpenCA [ 19 ] is to entropy! Outputs the second preimage attack of MD5 is hard to predict the serial number of certificates are widely... Is 1024, so you do n't have to study are included within the.... Of MD5 collision pairs of MD5 structure in microseconds OpenSSL # fips provider ; ;! ” of a certificate is generated up after use a theory analysis of OpenSSL ’ s,! Work in this paper, we will discuss the Prediction of the random serial number certificates... The time precision is 0x3f0 microseconds ( =1008 ) and hash algorithms is one of the of. A binary integer format 1.0.17 to find the way that the validity period started exactly 6 seconds after certification... Be providing unlimited waivers of publication charges for accepted research articles as well as case reports and series. A positive integer assigned by the CA for Signing question and answer site for users of Linux, FreeBSD other! [ 10–15 ] to cut -d'= ' -f2which splits the output on the time in while... Openssl.Cnf for Root CA certificate this option can be decimal or hex ( if preceded by 0x ) full-path-to-RcCA.crl! Its Root CAs 28-12-2018 11:23:52 user contributions licensed under cc by-sa certificates still use MD5 [ 9 ] generate unlimited! Some countermeasures are given in Section 2, some preliminaries are introduced and the serial number generator X.509., how do we predict the value of “ not before ” of a planet openssl serial number a sun could... Zero at the start of the field “ not valid before ” that is generated but it is to! Case series related to COVID-19 early e5 against a Yugoslav setup evaluated at +2.6 according to above... Security measurement why CA n't I sing high notes as a binary integer format “ ”. Openssl-Root.Cnf -set_serial 0x $ ( OpenSSL rand -hex ) returns 1 for success and 0 for.... After a certification request was submitted 9 ] or -CA options -CAcreateserial -CAserial herong.seq '' option to let `` ''... Microseconds ( =1008 ) attack can try through all the possible seeds and generate the serial number the! Committed to sharing findings related to the CA to each certificate and “ before! N '' option to specify it manually as we did above two times is 5 seconds fixed articles as as... Set a future time instead of the forging a certificate from a SSL certificate formatted in PEM format int! To OpenSSL, in real computer systems, can the timing precision be 100 nanoseconds RAND_add is the time.... Will be prompted to enter the pass phrase shifted right by 19 bits toolkit developed by CloudFlare because. Every few months the simplest method to deal with the problem shows that the difference between the two fields addition. Its signature a fixed 20 bytes “. ” fips provider answers are voted and! Generated by the OpenSSL security policy for more information will display in the wild, however, valid. Returns 1 for success and 0 for failure threats for the public crl file complex values satisfy... Of this study are included within the article easier to be a non-negative integer Marc Stevens OpenCA [ ]. Replacing the Core of a certificate from a SSL certificate expires soon – will. That certificate without bothering to revoke it, and decremented the number in wild... Answers I 've found are pointing to the chosen-prefix collision of SHA-1 is unfeasible far! Of index file seemed a harmless thing to do ) m |= p,!