From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4B70891A.8080508@magma.com.ni> Date: Mon, 8 Feb 2010 22:58:50 +0100 From: Georg Lehner User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706) MIME-Version: 1.0 To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> References: <4B6DB95F.4090907@maht0x0r.net> <78b9710340a6345eac9f8690d306e1bb@brasstown.quanstro.net> <3dd5c634eddc6496085190a0e6de46a4@ladd.quanstro.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [9fans] In case anyone worries about block hash collision in venti Topicbox-Message-UUID: d07b102a-ead5-11e9-9d60-3106f5b1d025 About a year ago i wrote a (kind of vapourware) backup system called Baccus, based on content addressed storage. Most ideas are stolen from Plan9/venti, but for the here discussed reasons i used the Salsa family of hashes from Dan Bernstein: http://cr.yp.to/chacha.html Respectively the Rumba-"compression": http://cr.yp.to/rumba20.html I combined hashing and encryption with Salsa/Rumba into one step. The hash function in Baccus is pluggable, so the user could decide which to use and would be able to upgrade to a stronger hash. Maybe pluggability of the hash function would be a nice addition to venti (if it is not there anyways). Also Salsa should be considered a valuable addition to Plan9. Regards, Jorge-Le�n P.S.: Here is the link to Baccus: http://wiki.tcl.tk/23064, but beware: it is in a bad state and style. Didn't have time to improve since then. If you still want to look at it, start with reading the CREDITS file. PS2: You need at least eight rounds, else you get lots of hash-collisions. Tim Newsham wrote: >> 1. the sender can't control email headers. many >> transfer agents add a random transfer-id which >> would confound this attack. > > If you know the size of the transfer id, you can pad out > to the next full block size. > >> 2. if the rcpt uses mbox format, the sender can't >> control how your message is fit into venti blocks. >> the sender would need to control the entire >> mail box. > > I'm ignorant on this front. > >> 3. http://en.wikipedia.org/wiki/SHA_hash_functions >> says that there have been no SHA1 collisions found. > > IIUC there has been significant progress in attacking > all major hash functions and the cryptographic community > has low confidence in all major hash functions at the > moment. Some hash algorithms have more serious attacks > than others, but once a few weaknesses are found its > usually an indication that the algorithm will fall soon. > > Re: SHA1, it looks like the strenght has been whittled > down to around 2^52 operations: > http://www.schneier.com/blog/archives/2009/06/ever_better_cry.html > > I'm not saying that there is a viable attack against > your SHA-indexed venti right now. I'm saying that its > bunk to evaluate the storage system simply on how likely > it is for a random collision to occur. The proper analysis > is how hard it is for a malicious attacker to cause a > collision now and in the near future. > >> - erik > > Tim Newsham | www.thenewsh.com/~newsham | thenewsh.blogspot.com >