Potential IPFS Security Issue

This is likely a low probability issue, however if there are authentication systems that store encrypted password with the same hashing algorithm used by IPFS, then it would be possible to populated a multitude of IPFS document, one for each password combination, thus providing a hash lookup table for malicious agents to reverse look up passwords if they know the hash.

I have not looked at depth into the algorithms being used, but I assume there is a low probability this would be a viable exploit.

Another considerations is that as IPFS content grows, it could be used as training data for AI to discover a currently unknown pattern to the hashing algorithm in use. Thus enabling future exploits for security systems which depend on the same cryptographic algorithms.

I’m sure brighter more knowledgeable persons than I have already considered and addressed these issue in the IPFS implementation. But I thought I would point them out incase this is of value to anyone.

– Cheers

1 Like

Content in IPFS isn’t usually addressed by its plain SHA-256 hash; there’s usually metadata included with each block that affects the final identifier. It seems really unlikely for there to be real passwords that include the kinds of metadata that wraps IPFS blocks.

The default hashing algorithm used with IPFS is the same as what’s used by Bitcoin: SHA-256. Do you believe this also applies to Bitcoin?

That’s generally called a “rainbow table”. Using IPFS for this would likely be pretty inefficient.

FYI, the usual fix is something call salting: https://en.wikipedia.org/wiki/Rainbow_table#Defense_against_rainbow_tables.