From mboxrd@z Thu Jan 1 00:00:00 1970 Mime-Version: 1.0 (Apple Message framework v619.2) In-Reply-To: References: <20050219183814.GISZ2048.imf19aec.mail.bellsouth.net@p1.stuart.org> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <9e8b82886fac51f78a70e17b6ba26813@telus.net> Content-Transfer-Encoding: 7bit From: Paul Lalonde Date: Sat, 19 Feb 2005 11:20:18 -0800 To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Subject: [9fans] Venti security in view of SHA-1 exploit Topicbox-Message-UUID: 4ea11f1a-eace-11e9-9e20-41e7f4b1d025 Has anyone given any thoughts on how Venti might be affected by the recent weakening of the SHA-1 hash? I can see one exploit in which a different block is returned from a compromised venti server, that I accept because the fingerprint matches the requested fingerprint. The issue of turnaround time isn't really there as files live on Venti for a long time, and a compromised server could at its leisure find a collision for some block I'm submitting. The likelihood of such an exploit seems small, but should we be looking for a better Venti hash? Paul