From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sat, 19 Feb 2005 10:14:11 -1000 From: Tim Newsham To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Subject: Re: [9fans] Venti security in view of SHA-1 exploit In-Reply-To: <9006e346da4717eaae1f97188a21d77d@telus.net> Message-ID: References: <9006e346da4717eaae1f97188a21d77d@telus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Topicbox-Message-UUID: 1031d420-ead0-11e9-9d60-3106f5b1d025 > But the question is should we, not could we. The attacks I can think of: - attacker with access to venti anticipates a particular block will be stored in the future. He burns cycles and finds a collision and stores his corrupt block first. Later you store your block and when you fetch the file you stored one of the blocks is bad. - a malicious venti server targets some stored blocks and burns cycles to replace them with bad blocks. - a man-in-the-middle sees a block go buy and targets it for corruption. He burns cycles and finds a collision. Next time the block is requested he injects the bad block. All of this assumes the attacker gets to choose which block to cause a collision on. I havent followed the previous MD5 work, does anyone know if this is the case? If the attack is limited to just finding any two blocks that collide then neither of these attacks would be viable. In the case of SHA1 the scant information released so far indicates its still a 2^69 attack. That's a LOT of operations. It sounds to me like the need to switch from SHA1 is not pressing right now, especially since the details of the attack have not yet been published. What scares me a little though is that some people are recommending dropping the "collision-proof" requirements of hashes. If that were to happen I wonder what the implications would be for any hash-addressable storage systems. > Paul disclaimer: I'm a security guy, but definitely no crypto expert. Tim N.