On 2013-11-18 23:46, Cathal Garvey wrote:
Well, the DHT is (if I recall correctly!) used not only for locating peers for but locating files. So, for example imagine the case where an update to Retroshare is offered from within the network: the retroshare devs themselves estimated that to forge a malicious hash would take weeks on consumer end hardware, and therefore that it was an impractical attack not worthy of threat modelling.
Leaving aside the fact that your real adversary does *not have to constrain itself to consumer end hardware*, it's the first time I've encountered a "serious" crypto project that considers *weeks* to be "computationally infeasible".
This is all ignoring the fact that SHA1 was built by the NSA. Specifically (correct me if I'm mistaken): SHA0 was based on MD5, and SHA1 was then proposed soon after as its replacement by the NSA after some alterations to correct *undisclosed vulnerabilities*. Ahem.
So, AFAIK RS is using a hash function redesigned (for all intents and purposes) in secret by *the adversary* which has plenty of publicly known attacks and may well have a critical in-built attack, and relies on this hash to route to the correct file or peer.
Once you have a peer's keys, you can keep them and trust-on-first-use, and RS *probably* (anyone wanna check source?) uses and checks signatures thereafter, but if the signatures are based on a SHA1 hash you're back to square one, where a forged hash will fit a valid signature.
In view of recent events, I am inclined to distrust SHA1, and even if SHA1 is entirely trustworthy, using it gives NIST and thus the NSA power which it will abuse, and even if one doubts that the use of NIST approved algorithms in one's own project gives the NSA power, or doubts that the NSA will abuse that power, using NIST approved algorithms on default settings gives people reason to suspect that the group, individual, or organization setting those defaults might play footsie with the NSA behind closed doors. For this reason I recommend employing the symmetric algorithms set as defaults by Jon Callas, and the asymmetric algorithms of Daniel Bernstein. Skein in place of SHA. http://blog.jim.com/crypto/moving-away-from-nist.html http://blog.jim.com/crypto/cryptography-standards.html