[Cryptography] Sony finding SHA1 collisions?
Dennis E. Hamilton
dennis.hamilton at acm.org
Fri Dec 12 14:47:28 EST 2014
-- Edited Original --
From: Benjamin Kreuter
Sent: Friday, December 12, 2014 05:34
This article seems to be saying that Sony has been using SHA1 collisions
to attack BitTorrent:
http://arstechnica.com/tech-policy/2014/12/sony-fights-spread-of-stolen-data-by-using-bad-seed-attack-on-torrents/?q=1
Does anyone know if that is what Sony is actually doing? I cannot seem
to find more details after ~5 minutes of Googling.
<orcnote>
The precise statement is this: "[The SHA1 signature is in the
metadata provided with the seed, not a result of a file that
causes a SHA1 "collision" by matching the file's exact hash.]"
From that it appears that it is not about the actual hash of
the file but of matching a metadata entry.
It appears that the protocol does not involve any kind of
authentication between the seed and the metadata or else it
does and it doesn't matter, the goal being to misdirect
downloads, not provide any kind of authenticated result.
Of course, there has been progress in manipulating a file
so that its SHA1 matches a given hash value. Since the
"collision" can be complete garbage, it is not useful as
a forgery/counterfeit and might work in this case. That
does not seem to be necessary for what Sony is reported
as doing.
</orcnote>
-- Ben
More information about the cryptography
mailing list