From: Tim Newsham <newsham@lava.net>
To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: Re: [9fans] Venti security in view of SHA-1 exploit
Date: Sat, 19 Feb 2005 10:14:11 -1000 [thread overview]
Message-ID: <Pine.BSI.4.61.0502191004030.3971@malasada.lava.net> (raw)
In-Reply-To: <9006e346da4717eaae1f97188a21d77d@telus.net>
> But the question is should we, not could we.
The attacks I can think of:
- attacker with access to venti anticipates a particular block
will be stored in the future. He burns cycles and finds a
collision and stores his corrupt block first. Later you
store your block and when you fetch the file you stored
one of the blocks is bad.
- a malicious venti server targets some stored blocks and
burns cycles to replace them with bad blocks.
- a man-in-the-middle sees a block go buy and targets it for
corruption. He burns cycles and finds a collision. Next
time the block is requested he injects the bad block.
All of this assumes the attacker gets to choose which block
to cause a collision on. I havent followed the previous MD5
work, does anyone know if this is the case? If the attack
is limited to just finding any two blocks that collide then
neither of these attacks would be viable.
In the case of SHA1 the scant information released so far
indicates its still a 2^69 attack. That's a LOT of operations.
It sounds to me like the need to switch from SHA1 is not
pressing right now, especially since the details of the
attack have not yet been published.
What scares me a little though is that some people are
recommending dropping the "collision-proof" requirements
of hashes. If that were to happen I wonder what the implications
would be for any hash-addressable storage systems.
> Paul
disclaimer: I'm a security guy, but definitely no crypto expert.
Tim N.
next prev parent reply other threads:[~2005-02-19 20:14 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-19 18:37 [9fans] Drawterm and security Brian L. Stuart
2005-02-19 18:48 ` andrey mirtchovski
2005-02-19 21:00 ` Brian L. Stuart
2005-02-19 18:58 ` Russ Cox
2005-02-19 19:15 ` blstuart
2005-02-19 19:20 ` Russ Cox
2005-02-19 20:24 ` blstuart
2005-02-19 20:34 ` andrey mirtchovski
2005-02-19 19:20 ` [9fans] Venti security in view of SHA-1 exploit Paul Lalonde
2005-02-19 19:26 ` andrey mirtchovski
2005-02-19 19:35 ` Paul Lalonde
2005-02-19 20:14 ` Tim Newsham [this message]
2005-02-20 4:24 ` Karl Magdsick
2005-02-19 20:15 ` Russ Cox
2005-02-19 22:25 ` boyd, rounin
2005-02-19 22:44 ` [9fans] Venti security in view of SHA-1 exploity William Josephson
2005-02-19 22:48 ` boyd, rounin
2005-02-20 18:08 ` William Josephson
2005-02-19 23:21 ` [9fans] Venti security in view of SHA-1 exploit Bruce Ellis
2005-02-20 1:00 ` Tim Newsham
2005-02-20 3:53 ` Karl Magdsick
2005-02-19 19:52 ` [9fans] Drawterm and security Skip Tavakkolian
2005-02-19 19:11 ` blstuart
2005-02-21 11:30 ` Robert Raschke
2005-02-21 19:20 ` geoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.BSI.4.61.0502191004030.3971@malasada.lava.net \
--to=newsham@lava.net \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).