[73626] in North American Network Operators' Group
Re: Senator Diane Feinstein Wants to know about the Benefits of P2P
daemon@ATHENA.MIT.EDU (Joel Jaeggli)
Mon Aug 30 17:10:52 2004
Date: Mon, 30 Aug 2004 14:01:23 -0700 (PDT)
From: Joel Jaeggli <joelja@darkwing.uoregon.edu>
To: Dan Hollis <goemon@anime.net>
Cc: james edwards <hackerwacker@cybermesa.com>,
"Byron L. Hicks" <bhicks@nmsu.edu>, Jeff Wheeler <jwheeler@usip.org>,
Henry Linneweh <hrlinneweh@sbcglobal.net>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0408301310220.22285-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 30 Aug 2004, Dan Hollis wrote:
>
> On Mon, 30 Aug 2004, james edwards wrote:
>>> Not true. For those of us who host Akamai servers, we could download SP2
>>> with no problems. We did not need P2P, or MSDN. In fact, I would be very
>>> reluctant to trust a Windows update downloaded via P2P.
>> Have you heard of MD5 sum ?
>
> yep md5 made the news recently because it's been cracked:
>
> http://techrepublic.com.com/5100-22-5314533.html
> http://www.rtfm.com/movabletype/archives/2004_08.html#001055
It hasn't actually but I guess the differences are to subtle some people
to grasp.
It is now possible to generate a collision [*] (ie two files with the same
md5 hash) for a given hash. generating a file with a malicious payload
that has the same hash as another file is left as an exercise to the
reader.
The implication of course is that it's time to switch hash Algorithms to
sha-1 or sha-2(224,256,384,512), not that hash algorithms are a bad way to
validate integrety of data.
The other component of course is having the hash be signed in some fashion
by a trusted third party, such at the package or ditribution maintainer or
creator so you validate the hash then verfiy the file integrety. most
linux distributions and freebsd images and macosX updates use such a
scheme.
* - http://eprint.iacr.org/2004/199.pdf
> -Dan
>
--
--------------------------------------------------------------------------
Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu
GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
