Senator Diane Feinstein Wants to know about the Benefits of P2P
Joel Jaeggli
joelja at darkwing.uoregon.edu
Mon Aug 30 21:01:23 UTC 2004
On Mon, 30 Aug 2004, Dan Hollis wrote:
>
> On Mon, 30 Aug 2004, james edwards wrote:
>>> Not true. For those of us who host Akamai servers, we could download SP2
>>> with no problems. We did not need P2P, or MSDN. In fact, I would be very
>>> reluctant to trust a Windows update downloaded via P2P.
>> Have you heard of MD5 sum ?
>
> yep md5 made the news recently because it's been cracked:
>
> http://techrepublic.com.com/5100-22-5314533.html
> http://www.rtfm.com/movabletype/archives/2004_08.html#001055
It hasn't actually but I guess the differences are to subtle some people
to grasp.
It is now possible to generate a collision [*] (ie two files with the same
md5 hash) for a given hash. generating a file with a malicious payload
that has the same hash as another file is left as an exercise to the
reader.
The implication of course is that it's time to switch hash Algorithms to
sha-1 or sha-2(224,256,384,512), not that hash algorithms are a bad way to
validate integrety of data.
The other component of course is having the hash be signed in some fashion
by a trusted third party, such at the package or ditribution maintainer or
creator so you validate the hash then verfiy the file integrety. most
linux distributions and freebsd images and macosX updates use such a
scheme.
* - http://eprint.iacr.org/2004/199.pdf
> -Dan
>
--
--------------------------------------------------------------------------
Joel Jaeggli Unix Consulting joelja at darkwing.uoregon.edu
GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
More information about the NANOG
mailing list