hedging our bets -- in case SHA-256 turns out to be insecure
David-Sarah Hopwood
david-sarah at jacaranda.org
Wed Nov 11 19:03:44 EST 2009
Sandy Harris wrote:
> On 11/8/09, Zooko Wilcox-O'Hearn <zooko at zooko.com> wrote:
>
>> Therefore I've been thinking about how to make Tahoe-LAFS robust against
>> the possibility that SHA-256 will turn out to be insecure.
[...]
> Since you are encrypting the files anyway, I wonder if you could
> use one of the modes developed for IPsec where a single pass
> with a block cipher gives both encrypted text and a hash-like
> authentication output. That gives you a "free" value to use as
> H3 in my scheme or H2 in yours, and its security depends on
> the block cipher, not on any hash.
Tahoe is intended to provide resistance to collision attacks by the
creator of an immutable file: the creator should not be able to generate
files with different contents, that can be read and verified by the same
read capability.
An authenticated encryption mode won't provide that -- unless, perhaps,
it relies on a collision-resistant hash.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20091112/76fc5559/attachment.pgp>
More information about the cryptography
mailing list