>> Assuming SHA-1 is indeed cryptographically secure (which is the >> assumption made by the venti paper) > > Well, I read it like it was just sufficiently secure against > unintended collisions. > > It's not intended to encrypt, but to efficiently store data.
While SHA-1 is indeed not intended to encrypt, it *is* intended to be a secure hash (hence the name). In order for it to do that job, it must be computationally difficult for somebody to find colliding material. If it's "easy" to guess venti scores for file-system roots, that suggests that SHA-1 systematically doesn't cover certain parts of the output space. If that is true, that would be a big help for people trying to find collisions (and, hence, forge signatures). It could be that way, but a lot of people are still acting in ways which will be painful if it is. Said another way: SHA-1 is designed to be a different kind of "checksum" than CRC-32. CRC's are designed to defend against accidental corruption, but SHA-1 really is designed to make deliberate collisions hard. Dave Eckhardt
