[Cryptography] Sony finding SHA1 collisions?

Dennis E. Hamilton dennis.hamilton at acm.org
Fri Dec 12 14:47:28 EST 2014

 -- Edited Original --
From: Benjamin Kreuter
Sent: Friday, December 12, 2014 05:34

This article seems to be saying that Sony has been using SHA1 collisions
to attack BitTorrent:


Does anyone know if that is what Sony is actually doing?  I cannot seem
to find more details after ~5 minutes of Googling.

     The precise statement is this: "[The SHA1 signature is in the 
     metadata provided with the seed, not a result of a file that 
     causes a SHA1 "collision" by matching the file's exact hash.]"  
     From that it appears that it is not about the actual hash of 
     the file but of matching a metadata entry.  

     It appears that the protocol does not involve any kind of 
     authentication between the seed and the metadata or else it
     does and it doesn't matter, the goal being to misdirect 
     downloads, not provide any kind of authenticated result.

     Of course, there has been progress in manipulating a file
     so that its SHA1 matches a given hash value.  Since the
     "collision" can be complete garbage, it is not useful as
     a forgery/counterfeit and might work in this case.  That
     does not seem to be necessary for what Sony is reported
     as doing.

-- Ben

More information about the cryptography mailing list