On 8/19/06, Jusa Saari <jargonautti at hotmail.com> wrote: > Won't work. Nothing stops me from downloading chicken-porn.jpeg, changing > one pixel in the upper right corner (so the CHK will differ), and > inserting it as free-music.mp3.
If I've understood the proposed system correctly, if you download chicken-porn.jpeg and change the name to free-music.mp3, the CHK will be different without requiring a pixel change. For much the same reason, the "preemptive insert under a misleading name" attack will not work; the CHKs for the file, unmodified, will differ depending on the name. One problem -- what counts as a valid filename? Upload a file on a Plan 9 system (where every Unicode character other than '\0' is valid in filenames, including '\n' and '\\') and something will complain on a Windows system where there are a dozen disallowed characters. --Joel
