James A. Donald
Tue Nov 19 01:13:46 EST 2013

On 2013-11-18 23:46, Cathal Garvey wrote:
> Well, the DHT is (if I recall correctly!) used not only for locating
> peers for but locating files. So, for example imagine the case where an
> update to Retroshare is offered from within the network: the retroshare
> devs themselves estimated that to forge a malicious hash would take
> weeks on consumer end hardware, and therefore that it was an
> impractical attack not worthy of threat modelling.
> Leaving aside the fact that your real adversary does *not have to
> constrain itself to consumer end hardware*, it's the first time I've
> encountered a "serious" crypto project that considers *weeks* to be
> "computationally infeasible".
> This is all ignoring the fact that SHA1 was built by the NSA.
> Specifically (correct me if I'm mistaken): SHA0 was based on MD5, and
> SHA1 was then proposed soon after as its replacement by the NSA after
> some alterations to correct *undisclosed vulnerabilities*. Ahem.
> So, AFAIK RS is using a hash function redesigned (for all intents and
> purposes) in secret by *the adversary* which has plenty of publicly
> known attacks and may well have a critical in-built attack, and relies
> on this hash to route to the correct file or peer.
> Once you have a peer's keys, you can keep them and trust-on-first-use,
> and RS *probably* (anyone wanna check source?) uses and checks
> signatures thereafter, but if the signatures are based on a SHA1 hash
> you're back to square one, where a forged hash will fit a valid
> signature.

In view of recent events, I am inclined to distrust SHA1, and even if 
SHA1 is entirely trustworthy, using it gives NIST and thus the NSA power 
which it will abuse, and even if one doubts that the use of NIST 
approved algorithms in one's own project gives the NSA power, or doubts 
that the NSA will abuse that power, using NIST approved algorithms on 
default settings gives people reason to suspect that the group, 
individual, or organization setting those defaults might play footsie 
with the NSA behind closed doors.

For this reason I recommend employing the symmetric algorithms set as 
defaults by Jon Callas, and the asymmetric algorithms of Daniel Bernstein.

Skein in place of SHA.

More information about the cypherpunks mailing list