Full Disclosure mailing list archives
Re: Month of Random Hashes: DAY THREE
From: Valdis.Kletnieks () vt edu
Date: Fri, 15 Jun 2007 16:56:52 -0400
On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said:
but only one string can produce that md5 hash signature, that sha1 hash signature, fucking that sha256 hash signature, fucking that <any_other> hash signature, etc...
Nope. There's an infinite number of strings that would produce the same MD5/sha1/sha256/whatever hash. The interesting point about such hashes is that although given a particular string A, we can *easily* compute the hash H. However, knowing H, we don't have a good way to recover A, nor do we have any easy way to compute a *second* string B that hashes to H. So, given a hash H, we know one of 3 things is true: 1) The person we got H from has A, and easily computed H. 2) The person doesn't have A, but does have either a way to use several million CPU-years or a crypto breakthrough to compute some string B that also hashes to H 3) The person just pulled a pseudo-random string of bits out of their ass, called it H, and has as little clue about A and B as we do. At the current time, (2) is believed to be impractical, and (3) fails the instant the person actually has to produce A itself. As a result, we can usually presume that if they have a hash H, they've got the A it hashed from. This becomes interesting if you want to prove that you have a prior claim on something, without revealing the something (for instance, an advisory or PoC for something while you're still working with a vendor about fixing it) - you can (for instance) post the hash of it on May 1, release the announcement on July 1, and when others dispute your claim you knew about it on May 1, you can point to the hash from May 1, and show it's the same as the hash of your July 1 announcement, and thus prove you knew about it back on that date.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Month of Random Hashes: DAY THREE Month of Random Hashes (Jun 12)
- Re: Month of Random Hashes: DAY THREE Dëêþàñ Çhäkrãvârthÿ (Jun 13)
- Re: Month of Random Hashes: DAY THREE Brian Dessent (Jun 13)
- Re: Month of Random Hashes: DAY THREE Guasconi Vincent (Jun 14)
- Re: Month of Random Hashes: DAY THREE Tõnu Samuel (Jun 15)
- Re: Month of Random Hashes: DAY THREE M . B . Jr . (Jun 15)
- Re: Month of Random Hashes: DAY THREE Brian Dessent (Jun 15)
- Re: Month of Random Hashes: DAY THREE Pavel Kankovsky (Jun 16)
- Re: Month of Random Hashes: DAY THREE Valdis . Kletnieks (Jun 15)
- Re: Month of Random Hashes: DAY THREE Jason Miller (Jun 15)
- Re: Month of Random Hashes: DAY THREE M . B . Jr . (Jun 15)
- Re: Month of Random Hashes: DAY THREE Brian Dessent (Jun 13)
- Re: Month of Random Hashes: DAY THREE William Lefkovics (Jun 16)
- Re: Month of Random Hashes: DAY THREE M . B . Jr . (Jun 16)
- Re: Month of Random Hashes: DAY THREE Dëêþàñ Çhäkrãvârthÿ (Jun 13)
- <Possible follow-ups>
- Fwd: Month of Random Hashes: DAY THREE rashid mohammed (Jun 15)
- Re: Fwd: Month of Random Hashes: DAY THREE Month of Random Hashes (Jun 15)
- Re: Month of Random Hashes: DAY THREE Month of Random Hashes (Jun 15)
- Re: Month of Random Hashes: DAY THREE Month of Random Hashes (Jun 15)
- Re: Month of Random Hashes: DAY THREE Month of Random Hashes (Jun 15)