I still think this is useless. What am I going to do with hashes? This whole Month of * BS is making me want to unsubscribe from the listing.
On 6/15/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > On Fri, 15 Jun 2007 16:59:01 -0300, "M.B.Jr." said: > > but only one string can produce that md5 hash signature, > > that sha1 hash signature, fucking that sha256 hash signature, fucking that > > <any_other> hash signature, etc... > > Nope. There's an infinite number of strings that would produce the same > MD5/sha1/sha256/whatever hash. The interesting point about such hashes is > that although given a particular string A, we can *easily* compute the hash H. > However, knowing H, we don't have a good way to recover A, nor do we have any > easy way to compute a *second* string B that hashes to H. > > So, given a hash H, we know one of 3 things is true: > > 1) The person we got H from has A, and easily computed H. > 2) The person doesn't have A, but does have either a way to use several > million > CPU-years or a crypto breakthrough to compute some string B that also hashes > to H > 3) The person just pulled a pseudo-random string of bits out of their ass, > called it H, and has as little clue about A and B as we do. > > At the current time, (2) is believed to be impractical, and (3) fails the > instant the person actually has to produce A itself. As a result, we can > usually presume that if they have a hash H, they've got the A it hashed from. > > This becomes interesting if you want to prove that you have a prior claim on > something, without revealing the something (for instance, an advisory or PoC > for something while you're still working with a vendor about fixing it) - you > can (for instance) post the hash of it on May 1, release the announcement on > July 1, and when others dispute your claim you knew about it on May 1, you can > point to the hash from May 1, and show it's the same as the hash of your July > 1 > announcement, and thus prove you knew about it back on that date. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
