Re: Senator Diane Feinstein Wants to know about the Benefits of P2P

[Majdi Abbas <majdi () puck nether net>]

On Mon, Aug 30, 2004 at 02:33:21PM -0700, Gregory Hicks wrote:
> Actually...  
>
> The "collision" problem discovered means that there might be MULTIPLE 680MB 
> files that give the same checksum.  
>
> Of course, the utility of most of these files would be an exercise left to 
> the 'cracker' if you were looking for an OS patch but ended up with the 
> contents of an encyclopeida.

        Actually...

        None of the demonstrated collisions are in a file approaching 
anything close to the size of a typical CD.  They are only 1024 bit (128 
byte) files, and the found collisions only differ from the original by
a few bytes.

        Finding a collision in a 200+ MB patch file is not terribly useful
unless you can actually make the patch do something it shouldn't, or not do,
something it should.  This is computationally expensive in the extreme.

        And even if you manage to do so, odds are that your file, even if it
is both detrimental and a collision in MD5, would not also be a hash collision
when hashed with SHA-1, or -256, -512, and the like.

        I could quite easily avoid this problem by hashing the source file
using a few different algorithms and comparing all of those hashes to the 
received file.

        There have been some near collisions (on modified versions of MD5)
in existance for several years; the fact that MD5 is not a perfect hashing
algorithm is not a surprise.  MD5 is weaker than previously thought, sure.
But is this really likely to be a problem for network operators soon? I
don't think so, although people should evaluate these risks for themselves.

        --msa