On Mon, Oct 28, 2013 at 6:49 AM, Richard Elling <richard.ell...@gmail.com> wrote: > > I hate to keep this thread going, but it cannot end with an open-ended > threat... please, let's kill it off nice and proper.
Hey, I don't want to waste anyone's time, including my own. If nobody is interested in this — possibly including the original author of the patch, Saso Kiselkov, judging from ¹ — then by all means let's drop the subject. ¹ http://article.gmane.org/gmane.os.illumos.zfs/3103 However, in case someone out there is reading this… > Do you agree that if the attacker does not have DDT key (including the hash) > of the future intended write (ignoring the fact that we haven't invented a > properly working time machine yet) that this attack is extraordinarily > difficult to conduct with any hope of a fruitful outcome? If so, let's kill > this thread. I'm not sure what you mean about the future intended write. The risk I was talking about was that an attacker can cause two blocks (on someone else's ZFS system) to hash to the same fingerprint. Assuming that “the DDT key” is the secret which is prefixed to the block contents in the current patch, then I agree it is extremely difficult to cause two blocks to hash to the same fingerprint. A way to be more precise about how difficult it is, is to talk about what property we depend on the hash function to have in order to prevent this attack. If the attacker steals the secret, or if there is some variant of ZFS which shares that secret among multiple parties ², then the property that we rely on the hash function to have is “collision-resistance”. If the attacker doesn't have the secret, then the property that we rely on the hash function to have one which is closely related to, and even easier-to-achieve than, “MAC”. ² http://article.gmane.org/gmane.os.illumos.zfs/3015 Functions which, in my opinion, have this easier-to-achieve-than-MAC property include SHA-256, HMAC-MD5, Skein, BLAKE2, and BLAKE2-reduced-to-5-rounds. Almost all cryptographic hash functions have this property! One of the few cryptographic hash functions which I would be not so confident in is Edon-R. It *probably* still has this property, but it might not, and cryptographers haven't studied it much. Functions which, in my opinion, have the much harder-to-achieve “collision-resistance” property include SHA-256, Skein, BLAKE2, and *probably* BLAKE2-reduced-to-5-rounds. > I'll let the fact that there is no "future dedup run" and there is no > "replace blocks later" in ZFS fall quietly in the forest with nobody > listening. I'm sorry if I've misunderstood; I'm not an expert on ZFS. If you'd like to take some of your valuable time to explain it to me, I'll spend some of my valuable time to learn, because I'm interested in filesystems in general and ZFS in particular. If not, I'm pretty sure everything I've written above is still true. Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Support Rep https://LeastAuthority.com Freedom matters. ------------------------------------------- illumos-zfs Archives: https://www.listbox.com/member/archive/182191/=now RSS Feed: https://www.listbox.com/member/archive/rss/182191/22842876-ced276b8 Modify Your Subscription: https://www.listbox.com/member/?member_id=22842876&id_secret=22842876-4984dade Powered by Listbox: http://www.listbox.com _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography