I'm referring to infosec forensics not legal forensics. Believing what you see on a computer screen makes invalid assumptions any time an attacker can anticipate what it is that you expect to see. Using MD5/SHA-1/etc. for hashing leaves you vulnerable to this type of social engineering where your expectations are satisfied therefore you think you're secure -- but anyone, anywhere could have come up with the key (the right hash) that will satisfy your expectations -- so what good were those expectations in the first place? Jason Coombs jasoncat_private -----Original Message----- From: Ed Carp [mailto:ercat_private] Sent: Thursday, January 23, 2003 10:16 AM To: Jason Coombs Cc: adminat_private; securityfocus.com!forensics@adsl-61-76-31.pns.bellsouth.net Subject: RE: CRC32 vd MD5 On Sun, 19 Jan 2003, Jason Coombs wrote: > I gain some security through obscurity if I supplement standard hash > algorithms with algorithms of my own design -- and not because my own > algorithms are going to be as provably secure/free of collisions, but > because it is impossible for an attacker to know ahead of time what their > bits are going to look like when processed by my code unless they first > obtain a copy of my code. > > This is an appropriate role for security through obscurity; often times I disagree. If you can't prove that your algorithms don't actually increase the chances of a collision, they're worthless, and they wouldn't stand up for more than 30 seconds in a court of law. By using your own algorithms, you're just handing the case to a smart defense attorney - on a very silver platter. -- Ed Carp, N7EKG http://www.pobox.com/~erc 214/986-5870 Licensed Texas Peace Officer Computer Crime Investigation Consultant Director, Software Development Escapade Server-Side Scripting Engine Development Team http://www.squishedmosquito.com Microsoft Front Page - the official HTML editor of Al Qaeda Microsoft Hotmail - the official email of Al Qaeda ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 13:14:58 PST