Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Month of Random Hashes: DAY THREE
From: M.B.Jr. <marcio.barbado () gmail com>
Date: Fri, 15 Jun 2007 23:32:50 -0300

On 6/15/07, Jason Miller <jammer128 () gmail com> wrote:
I still think this is useless. What am I going to do with hashes? This
whole Month of * BS is making me want to unsubscribe from the listing.

Jason, do it please...

Dessent,
did I mentioned concatenated hashes?
you trippin man...

Kletnieks,
it's possible but it is not a rule.

so if the number of NON-CONCATENATED hashes tends to infinite, your chances
tend to zero.

On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said:
> but only one string can produce that md5 hash signature,
> that sha1 hash signature, fucking that sha256 hash signature, fucking
that
> <any_other> hash signature, etc...

My "etc" means "fucking that <any_other> hash signature" INFINITE times...




On 6/15/07, Jason Miller <jammer128 () gmail com> wrote:

I still think this is useless. What am I going to do with hashes? This
whole Month of * BS is making me want to unsubscribe from the listing.

On 6/15/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said:
> > but only one string can produce that md5 hash signature,
> > that sha1 hash signature, fucking that sha256 hash signature, fucking
that
> > <any_other> hash signature, etc...
>
> Nope.  There's an infinite number of strings that would produce the same
> MD5/sha1/sha256/whatever hash.  The interesting point about such hashes
is
> that although given a particular string A, we can *easily* compute the
hash H.
> However, knowing H, we don't have a good way to recover A, nor do we
have any
> easy way to compute a *second* string B that hashes to H.
>
> So, given a hash H, we know one of 3 things is true:
>
> 1) The person we got H from has A, and easily computed H.
> 2) The person doesn't have A, but does have either a way to use several
million
> CPU-years or a crypto breakthrough to compute some string B that also
hashes to H
> 3) The person just pulled a pseudo-random string of bits out of their
ass,
> called it H, and has as little clue about A and B as we do.
>
> At the current time, (2) is believed to be impractical, and (3) fails
the
> instant the person actually has to produce A itself.  As a result, we
can
> usually presume that if they have a hash H, they've got the A it hashed
from.
>
> This becomes interesting if you want to prove that you have a prior
claim on
> something, without revealing the something (for instance, an advisory or
PoC
> for something while you're still working with a vendor about fixing it)
- you
> can (for instance) post the hash of it on May 1, release the
announcement on
> July 1, and when others dispute your claim you knew about it on May 1,
you can
> point to the hash from May 1, and show it's the same as the hash of your
July 1
> announcement, and thus prove you knew about it back on that date.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Marcio Barbado, Jr.
==============
==============
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault