[cryptography] [zfs] [Review] 4185 New hash algorithm support

Zooko Wilcox-OHearn zooko at leastauthority.com
Mon Oct 28 15:07:43 EDT 2013

On Mon, Oct 28, 2013 at 6:49 AM, Richard Elling
<richard.elling at gmail.com> wrote:
> I hate to keep this thread going, but it cannot end with an open-ended threat... please, let's kill it off nice and proper.

Hey, I don't want to waste anyone's time, including my own. If nobody
is interested in this — possibly including the original author of the
patch, Saso Kiselkov, judging from ¹ — then by all means let's drop
the subject.

¹ http://article.gmane.org/gmane.os.illumos.zfs/3103

However, in case someone out there is reading this…

> Do you agree that if the attacker does not have DDT key (including the hash) of the future intended write (ignoring the fact that we haven't invented a properly working time machine yet) that this attack is extraordinarily difficult to conduct with any hope of a fruitful outcome? If so, let's kill this thread.

I'm not sure what you mean about the future intended write. The risk I
was talking about was that an attacker can cause two blocks (on
someone else's ZFS system) to hash to the same fingerprint.

Assuming that “the DDT key” is the secret which is prefixed to the
block contents in the current patch, then I agree it is extremely
difficult to cause two blocks to hash to the same fingerprint. A way
to be more precise about how difficult it is, is to talk about what
property we depend on the hash function to have in order to prevent
this attack.

If the attacker steals the secret, or if there is some variant of ZFS
which shares that secret among multiple parties ², then the property
that we rely on the hash function to have is “collision-resistance”.
If the attacker doesn't have the secret, then the property that we
rely on the hash function to have one which is closely related to, and
even easier-to-achieve than, “MAC”.

² http://article.gmane.org/gmane.os.illumos.zfs/3015

Functions which, in my opinion, have this easier-to-achieve-than-MAC
property include SHA-256, HMAC-MD5, Skein, BLAKE2, and
BLAKE2-reduced-to-5-rounds. Almost all cryptographic hash functions
have this property! One of the few cryptographic hash functions which
I would be not so confident in is Edon-R. It *probably* still has this
property, but it might not, and cryptographers haven't studied it

Functions which, in my opinion, have the much harder-to-achieve
“collision-resistance” property include SHA-256, Skein, BLAKE2, and
*probably* BLAKE2-reduced-to-5-rounds.

> I'll let the fact that there is no "future dedup run" and there is no "replace blocks later" in ZFS fall quietly in the forest with nobody listening.

I'm sorry if I've misunderstood; I'm not an expert on ZFS. If you'd
like to take some of your valuable time to explain it to me, I'll
spend some of my valuable time to learn, because I'm interested in
filesystems in general and ZFS in particular. If not, I'm pretty sure
everything I've written above is still true.


Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep
Freedom matters.

Archives: https://www.listbox.com/member/archive/182191/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182191/22842876-ced276b8
Modify Your Subscription: https://www.listbox.com/member/?member_id=22842876&id_secret=22842876-4984dade
Powered by Listbox: http://www.listbox.com

More information about the cryptography mailing list