[Opensim-dev] Proposal to eliminate the name, description and invType fields from the assets db table
Sean Dague
sean at dague.net
Mon Jun 23 13:15:55 UTC 2008
On Sat, Jun 21, 2008 at 09:41:33PM -0400, Frisby, Adam wrote:
> Snip:
> ---
> ...Moreover, if we adopt generation of UUIDs using a hashing algorithm
> (e.g. SHA1) at some stage, we wouldn't even need to embed the UUID in
> the name...
> ---
> Unsnip:
>
> A warning here if I may.
>
> *DO NOT DO THIS*. Hashing to produce a UUID for the asset, while
> tempting in a space-saving kind of way, actually is not secure. Allow me
> to explain further:
>
> There are many known attacks on MD5 (and SHA1) which allow a duplicate
> hash to be produced by tacking on additional data at the end of your
> intended data, so - say someone wants to replace the default avatar with
> a flying phallus, it would be possible to do, by creating a specifically
> targeted asset with some dummy data on the very end to produce a
> duplicate hash. When uploaded, it would override the original UUID of
> that asset and hence could be bad.
First off, SHA1 isn't broken. Secondly, we have a no update policy on
assets today, so this isn't a viable attack even if it was broken.
I don't think that with those 2 facts using SHA1 would be an issue
here. I'd like to avoid SHA256 if possible, mostly because SHA1 is
computationally fast.
While I understand the hype on the concerns here, the way we'd use SHA1
generated UUIDs shouldn't open up any holes.
-Sean
--
__________________________________________________________________
Sean Dague Mid-Hudson Valley
sean at dague dot net Linux Users Group
http://dague.net http://mhvlug.org
There is no silver bullet. Plus, werewolves make better neighbors
than zombies, and they tend to keep the vampire population down.
__________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080623/f1bfd7a0/attachment-0001.pgp>
More information about the Opensim-dev
mailing list