[Opensim-dev] Proposal to eliminate the name, description and invType fields from the assets db table

Sean Dague sean at dague.net
Mon Jun 23 13:15:55 UTC 2008 

On Sat, Jun 21, 2008 at 09:41:33PM -0400, Frisby, Adam wrote:
> Snip:
> ---
> ...Moreover, if we adopt generation of UUIDs using a hashing algorithm
> (e.g. SHA1) at some stage, we wouldn't even need to embed the UUID in
> the name...
> ---
> Unsnip:
> 
> A warning here if I may.
> 
> *DO NOT DO THIS*. Hashing to produce a UUID for the asset, while
> tempting in a space-saving kind of way, actually is not secure. Allow me
> to explain further:
> 
> There are many known attacks on MD5 (and SHA1) which allow a duplicate
> hash to be produced by tacking on additional data at the end of your
> intended data, so - say someone wants to replace the default avatar with
> a flying phallus, it would be possible to do, by creating a specifically
> targeted asset with some dummy data on the very end to produce a
> duplicate hash. When uploaded, it would override the original UUID of
> that asset and hence could be bad.

First off, SHA1 isn't broken.  Secondly, we have a no update policy on
assets today, so this isn't a viable attack even if it was broken.

I don't think that with those 2 facts using SHA1 would be an issue
here.  I'd like to avoid SHA256 if possible, mostly because SHA1 is
computationally fast.

While I understand the hype on the concerns here, the way we'd use SHA1
generated UUIDs shouldn't open up any holes.

    -Sean

-- 
__________________________________________________________________

Sean Dague                                       Mid-Hudson Valley
sean at dague dot net                            Linux Users Group
http://dague.net                                 http://mhvlug.org

There is no silver bullet.  Plus, werewolves make better neighbors
than zombies, and they tend to keep the vampire population down.
__________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080623/f1bfd7a0/attachment-0001.pgp>

More information about the Opensim-dev mailing list