1. the sender can't control email headers. many transfer agents add a random transfer-id which would confound this attack.
If you know the size of the transfer id, you can pad out to the next full block size.
2. if the rcpt uses mbox format, the sender can't control how your message is fit into venti blocks. the sender would need to control the entire mail box.
I'm ignorant on this front.
3. http://en.wikipedia.org/wiki/SHA_hash_functions says that there have been no SHA1 collisions found.
IIUC there has been significant progress in attacking all major hash functions and the cryptographic community has low confidence in all major hash functions at the moment. Some hash algorithms have more serious attacks than others, but once a few weaknesses are found its usually an indication that the algorithm will fall soon. Re: SHA1, it looks like the strenght has been whittled down to around 2^52 operations: http://www.schneier.com/blog/archives/2009/06/ever_better_cry.html I'm not saying that there is a viable attack against your SHA-indexed venti right now. I'm saying that its bunk to evaluate the storage system simply on how likely it is for a random collision to occur. The proper analysis is how hard it is for a malicious attacker to cause a collision now and in the near future.
- erik
Tim Newsham | www.thenewsh.com/~newsham | thenewsh.blogspot.com
