On 2013-11-18 23:46, Cathal Garvey wrote:
Well, the DHT is (if I recall correctly!) used not only for locating
peers for but locating files. So, for example imagine the case where an
update to Retroshare is offered from within the network: the retroshare
devs themselves estimated that to forge a malicious hash would take
weeks on consumer end hardware, and therefore that it was an
impractical attack not worthy of threat modelling.
Leaving aside the fact that your real adversary does *not have to
constrain itself to consumer end hardware*, it's the first time I've
encountered a "serious" crypto project that considers *weeks* to be
"computationally infeasible".
This is all ignoring the fact that SHA1 was built by the NSA.
Specifically (correct me if I'm mistaken): SHA0 was based on MD5, and
SHA1 was then proposed soon after as its replacement by the NSA after
some alterations to correct *undisclosed vulnerabilities*. Ahem.
So, AFAIK RS is using a hash function redesigned (for all intents and
purposes) in secret by *the adversary* which has plenty of publicly
known attacks and may well have a critical in-built attack, and relies
on this hash to route to the correct file or peer.
Once you have a peer's keys, you can keep them and trust-on-first-use,
and RS *probably* (anyone wanna check source?) uses and checks
signatures thereafter, but if the signatures are based on a SHA1 hash
you're back to square one, where a forged hash will fit a valid
signature.
In view of recent events, I am inclined to distrust SHA1, and even if
SHA1 is entirely trustworthy, using it gives NIST and thus the NSA power
which it will abuse, and even if one doubts that the use of NIST
approved algorithms in one's own project gives the NSA power, or doubts
that the NSA will abuse that power, using NIST approved algorithms on
default settings gives people reason to suspect that the group,
individual, or organization setting those defaults might play footsie
with the NSA behind closed doors.
For this reason I recommend employing the symmetric algorithms set as
defaults by Jon Callas, and the asymmetric algorithms of Daniel Bernstein.
Skein in place of SHA.
http://blog.jim.com/crypto/moving-away-from-nist.html
http://blog.jim.com/crypto/cryptography-standards.html
