hashes in p2p, was Re: switching from SHA-1 to Tiger ?
Ondrej Mikle
ondrej.mikle at gmail.com
Wed Jul 12 10:34:06 EDT 2006
Travis H. wrote:
> On 7/11/06, Zooko O'Whielacronx <zooko at zooko.com> wrote:
>> I hope that the hash function designers will be aware that hash
>> functions are being used in more and more contexts outside of the
>> traditional digital signatures and MACs. These new contexts include
>> filesystems like ZFS [3], decentralized revision control systems like
>> Monotone [4], git [5], mercurial [6] and bazaar-ng [7], and peer-to-peer
>> file-sharing systems such as Direct Connect, Gnutella, and Bitzi [6].
>
> MD4/5 are commonly used as a unique fixed-size identifier of an
> arbitrarily-chosen* length of data in p2p file systems, and we are all
> aware of the collision attacks. They bring up some interesting points
> to consider:
>
> 1) What semantics can one induce by using a collision attack, given
> the existing protocols/clients? There are some rumors the MPAA or
> RIAA is using protocol-level attacks to "poison" p2p networks like
> bittorrent and KaZaa. Can cryptanalysis results be playing a part?
RIAA uses only very basic cryptanalytic attacks. Specifically, Kazaa
(FastTrack protocol) uses very stupid UUHash algorithm, which works like
this: first 300kB are hashed with MD5, then 300 kB at 1MB boundary is
added to hash, then 300 kB at 2MB boundary, then 300kB at each 2^n MB
boundary. It is clear that it is very easy to generate collisions for
UUHash.
For other networks, mostly sybil attacks are used (spawning a lot of
fake nodes and fake files with the same name so that search turns them up).
> 2) How do we refactor these widely deployed systems with a new,
> stronger hash function?
An example how to handle this might be aMule and eMule clients. The
basic ed2k protocol only uses MD4 hashes (it is hash list, the hash in
magnet link is the MD4 hash of MD4 hashes of file blocks). These two
clients add protocol extension called AICH algorithm (basically it is
Merkle tree of SHA-1 hashes). The root hash might be a part of magnet
link, but does not have to be (since it is not part of the original
protocol).
If the root hash is part of the magnet link, then the received tree can
be checked. If it is not part of the magnet link, then the client
attempts to retrieve it from clients that support AICH. If at least 10
clients send the same root hash and if that is at least 92% of all
received root hashes, such root hash is considered trusted for the
current session. It is definitely not 100% secure, but the more clients
support AICH, the more often you will find the root hash in magnet link
(thus being able to check the received tree). Even in the absence of
root hash in magnet link, the attacker needs to control significant
portion of network to be able to spoof the root hash with some high
probability.
A simple concept that would allow replacing the hash functions would be
adding optional parameters to protocol specification. Then users can
switch clients "continuosly", i.e. users with old clients will not be
cut off of the network each time hash function changes.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list