From: "Russ Cox" <rsc@swtch.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: Re: [9fans] Venti and the hash / public key in plan9
Date: Mon, 6 Feb 2006 14:45:15 -0500 [thread overview]
Message-ID: <E1F6CIV-0004tK-2N@x40.swtch.com> (raw)
In-Reply-To: <45219fb00602060955o4cf10e2et@mail.gmail.com>
Venti is just a block storage server.
It accepts blocks ranging in size from 0 bytes to 56kB.
The application can use whatever block size it likes.
8k is typical. When I back up file systems I use the
underlying file system block size.
The current Venti server (in Plan 9) does check when you
write a block, if it hashes to an existing block, that the two
are the same. My newer Venti server (in Plan 9 from User Space)
does not do this, which is faster.
All this discussion about things more likely than two
random blocks having the same hash is amusing, but
there is a serious point no one has brought up.
All the math depends on blocks chosen randomly. An adversary
might actually come up with two blocks with the same
hash, not by random search but by being very clever.
Some researchers in China recently claimed to have
a program that generate two different blocks with the same
MD5 hash (and I think there is one for SHA1 too, that takes
longer). I ran the MD5 program for a while on my laptop but
it did not finish. Maybe I just got unlucky (there is still a
little randomness). It was supposed to be able to finish
in something like 45 minutes and I ran it overnight.
I don't know whether their approach generates two
blocks of the same length. I do know that if they are
trying to match a pre-existing hash they do so by adding
padding in the form of some kind of comment. For example,
they could start with a PDF that said "Buy 1M shares of X",
change the Buy to Sell, and then insert some comments in
the PDF to make the hash of the new document the same
as the hash of the original document and thus the old
signature would work for the new document. This is bad
and will be worse as computers get faster, and various
people are worried about how to switch to SHA256.
I am not worried. If there is some adversary using
your Venti system, there are simpler attacks they could
use to render it inoperable (like fill it up). I am happy to
assume that the Venti clients are playing nicely.
If, at some point in the future, it was really a problem,
the types that Venti stores with each block would allow
a Venti server to be "transcoded" into a different hash
function pretty easily. (Of course, the clients would have
to be informed of the new hashes of their root blocks.)
Russ
next prev parent reply other threads:[~2006-02-06 19:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-06 16:36 Lluís Batlle
2006-02-06 16:58 ` Russ Cox
2006-02-06 17:16 ` Lluís Batlle
2006-02-06 17:21 ` "Nils O. Selåsdal"
2006-02-06 17:33 ` uriel
2006-02-06 17:37 ` Ronald G Minnich
2006-02-06 17:55 ` Lluís Batlle
2006-02-06 19:45 ` Russ Cox [this message]
2006-02-06 17:51 ` andrey mirtchovski
2006-02-06 19:49 ` Joel Salomon
2006-02-06 17:25 ` Ronald G Minnich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1F6CIV-0004tK-2N@x40.swtch.com \
--to=rsc@swtch.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).