James A. Donald
Tue Nov 19 01:13:46 EST 2013
On 2013-11-18 23:46, Cathal Garvey wrote:
> Well, the DHT is (if I recall correctly!) used not only for locating
> peers for but locating files. So, for example imagine the case where an
> update to Retroshare is offered from within the network: the retroshare
> devs themselves estimated that to forge a malicious hash would take
> weeks on consumer end hardware, and therefore that it was an
> impractical attack not worthy of threat modelling.
> Leaving aside the fact that your real adversary does *not have to
> constrain itself to consumer end hardware*, it's the first time I've
> encountered a "serious" crypto project that considers *weeks* to be
> "computationally infeasible".
> This is all ignoring the fact that SHA1 was built by the NSA.
> Specifically (correct me if I'm mistaken): SHA0 was based on MD5, and
> SHA1 was then proposed soon after as its replacement by the NSA after
> some alterations to correct *undisclosed vulnerabilities*. Ahem.
> So, AFAIK RS is using a hash function redesigned (for all intents and
> purposes) in secret by *the adversary* which has plenty of publicly
> known attacks and may well have a critical in-built attack, and relies
> on this hash to route to the correct file or peer.
> Once you have a peer's keys, you can keep them and trust-on-first-use,
> and RS *probably* (anyone wanna check source?) uses and checks
> signatures thereafter, but if the signatures are based on a SHA1 hash
> you're back to square one, where a forged hash will fit a valid
In view of recent events, I am inclined to distrust SHA1, and even if
SHA1 is entirely trustworthy, using it gives NIST and thus the NSA power
which it will abuse, and even if one doubts that the use of NIST
approved algorithms in one's own project gives the NSA power, or doubts
that the NSA will abuse that power, using NIST approved algorithms on
default settings gives people reason to suspect that the group,
individual, or organization setting those defaults might play footsie
with the NSA behind closed doors.
For this reason I recommend employing the symmetric algorithms set as
defaults by Jon Callas, and the asymmetric algorithms of Daniel Bernstein.
Skein in place of SHA.
More information about the cypherpunks