From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 7 Feb 2010 10:03:42 -1000 From: Tim Newsham To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-Reply-To: <3dd5c634eddc6496085190a0e6de46a4@ladd.quanstro.net> Message-ID: References: <4B6DB95F.4090907@maht0x0r.net> <78b9710340a6345eac9f8690d306e1bb@brasstown.quanstro.net> <3dd5c634eddc6496085190a0e6de46a4@ladd.quanstro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: [9fans] In case anyone worries about block hash collision in venti Topicbox-Message-UUID: cfec49e4-ead5-11e9-9d60-3106f5b1d025 > 1. the sender can't control email headers. many > transfer agents add a random transfer-id which > would confound this attack. If you know the size of the transfer id, you can pad out to the next full block size. > 2. if the rcpt uses mbox format, the sender can't > control how your message is fit into venti blocks. > the sender would need to control the entire > mail box. I'm ignorant on this front. > 3. http://en.wikipedia.org/wiki/SHA_hash_functions > says that there have been no SHA1 collisions found. IIUC there has been significant progress in attacking all major hash functions and the cryptographic community has low confidence in all major hash functions at the moment. Some hash algorithms have more serious attacks than others, but once a few weaknesses are found its usually an indication that the algorithm will fall soon. Re: SHA1, it looks like the strenght has been whittled down to around 2^52 operations: http://www.schneier.com/blog/archives/2009/06/ever_better_cry.html I'm not saying that there is a viable attack against your SHA-indexed venti right now. I'm saying that its bunk to evaluate the storage system simply on how likely it is for a random collision to occur. The proper analysis is how hard it is for a malicious attacker to cause a collision now and in the near future. > - erik Tim Newsham | www.thenewsh.com/~newsham | thenewsh.blogspot.com