Data storage giant EMC
is trying to allay
fears that its Centera platform was susceptible to a flaw uncovered in
the popular MD5
EMC's Centera secure storage platform uses MD5 hash integrity for its single-instancing storage (SIS) offering, prompting jitters among customers when word leaked out at the recent Crypto 2004 conference that the algorithm could be easily cracked.
However, EMC insists its use of the secure hashing algorithm did not put customers' data at risk, because the algorithm is enhanced and buried in the platform.
By burying the MD5 enhancements, a spokesman for EMC said the full algorithm is never available for cracking. "We emphatically dispute the spreading [fear] around our Centera product and the idea that a security flaw puts data at risk for duplication, corruption, or any malicious changes," Rob Callery, EMC spokesman, told internetnews.com.
The MD5 algorithm is used to convert an arbitrarily long data stream into a digest of fixed size. It is widely used to ensure message integrity and as part of creating and verifying digital signatures.
At Crypto 2004, French researcher Antoine Joux presented information on a weakness discovered in MD5, confirming earlier fears that the algorithm was not appropriate for single-instancing storage.
But, according to Callery, the researcher didn't find a way to create a new file that creates an address to an existing file. "They only showed a way of inducing collisions between random objects," he said. "The important point is that they cannot induce collisions with existing objects."
EMC maintains that nobody has proven that it is possible to reverse-engineer a small binary file -- as has been described -- with the same hash as those generated for the file to be obscured, and no tools exist to do that. "The researchers' results have been totally misused. They did not show that you could forge an address to an existing object," Callery said.
He said Centera used two different types of naming schemes. One is based on MD5 and another is based on MD5 and an EMC-developed algorithm, which also incorporates time stamps. Because an EMC algorithm is added to the mix, Callery said crackers looking to induce a collision between a legitimate file and a malicious file would have to create both files and store them on Centera "at the same exact time, on the same exact entry node and have exactly the same content."