[Opensim-dev] Proposal to eliminate the name, description and invType fields from the assets db table
Belxjander Serechai
belxjander at gmail.com
Mon Jun 23 14:22:37 UTC 2008
GUID's arent exactly random, they just appear to be random
On Mon, Jun 23, 2008 at 10:47 PM, Melanie <melanie at t-data.com> wrote:
> What is the purpose of creating UUIDs by hashing? If it's not
> duplicate detection/prevention, I see no reason. GUIDs are supposed
> to be random, I believe.
>
> Melanie
>
> Sean Dague wrote:
>> On Sat, Jun 21, 2008 at 09:41:33PM -0400, Frisby, Adam wrote:
>>> Snip:
>>> ---
>>> ...Moreover, if we adopt generation of UUIDs using a hashing algorithm
>>> (e.g. SHA1) at some stage, we wouldn't even need to embed the UUID in
>>> the name...
>>> ---
>>> Unsnip:
>>>
>>> A warning here if I may.
>>>
>>> *DO NOT DO THIS*. Hashing to produce a UUID for the asset, while
>>> tempting in a space-saving kind of way, actually is not secure. Allow me
>>> to explain further:
>>>
>>> There are many known attacks on MD5 (and SHA1) which allow a duplicate
>>> hash to be produced by tacking on additional data at the end of your
>>> intended data, so - say someone wants to replace the default avatar with
>>> a flying phallus, it would be possible to do, by creating a specifically
>>> targeted asset with some dummy data on the very end to produce a
>>> duplicate hash. When uploaded, it would override the original UUID of
>>> that asset and hence could be bad.
>>
>> First off, SHA1 isn't broken. Secondly, we have a no update policy on
>> assets today, so this isn't a viable attack even if it was broken.
>>
>> I don't think that with those 2 facts using SHA1 would be an issue
>> here. I'd like to avoid SHA256 if possible, mostly because SHA1 is
>> computationally fast.
>>
>> While I understand the hype on the concerns here, the way we'd use SHA1
>> generated UUIDs shouldn't open up any holes.
>>
>> -Sean
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
More information about the Opensim-dev
mailing list