EMC Defends Centera's Integrity

EMC Corp. (NYSE: EMC) says the authenticity of records stored on Centera systems has not been compromised by recently publicized flaws in the MD5 algorithm. That's the method EMC's content addressable system (CAS) uses to create digital signatures (see EMC Enhances Centera and EMC Preps Centera).

Researchers from China, France, and Israel presented findings last week at the Crypto 2004 conference in Santa Barbara, Calif., that showed MD5 could be easily cracked. Network Appliance Inc. (Nasdaq: NTAP) charged via email that the data of any storage system that relies on MD5 is at risk -- specifically, EMC's Centera.

EMC, however, says the biggest flaw is in the way NetApp has spun the findings.

EMC emphatically disputes the spreading of FUD around our Centera product and the idea that a security flaw puts data at risk for duplication, corruption, or any malicious changes,” an EMC spokesman said today.

The MD5 algorithm is used for digital signature applications, in which a large file must be securely compressed before it is encrypted with a private key. MD5 underlies Centera’s single-instance storage capability, which reduces storage overhead by storing only one copy of a file with a unique content address. Pointers are used for subsequent copies of the same record.Val Bercovici, Network Appliance’s chief technical architect of ILM data protection and compliance solutions, says the recent research points to a problem with single-instance storage. Bercovici says the research shows hackers no longer must rely on trying all possible key combinations -- known as "brute force attacks" -- to crack MD5.

“The algorithm has been compromised,” Bercovici says. “Instead of using brute force attacks, the flaw provides a shortcut.”

Bercovici says the flaw could lead to hackers creating a script that allows someone to reverse-engineer a binary file with the same address as an existing file. That person could send himself an email with the bogus file as an attachment, then send out another email with the original file. MD5 would read the second attachment as being the same as the first, and fail to store it.

Scenario: Say the second attachment reveals sensitive company information that cannot be shared legally with an outsider. An auditor looking for evidence would find only the first attachment stored on the system. Bercovici says such a scenario means Centera may not meet the SEC’s compliance requirement that data must be stored in a non-rewritable, non-erasable form (see FivePoints for Staying Compliant and The Real Cost of Compliance).

Roy Sanford, EMC’s VP of CAS, says that scenario is not possible using Centera. He says the cryptographers did not find a way to create a new file with an address to an existing file, but only found how to give the same address to random files. That would prevent the above scenario from taking place.“They did not show you could forge an address to an existing object,” Sanford says.

Sanford also points out that Centera doesn't solely rely on MD5 for naming files. It uses a second naming scheme based on MD5, plus an EMC-developed algorithm that incorporates time stamps. To give two files using MD5 plus the EMC algorithm the same content address, “both files would have to be created and stored on Centera at the same exact time, on the same exact entry node and have exactly the same content,” Sanford says.

While the hacking tool does not yet exist to crack the algorithm in such a way, NetApp’s Bercovici says cryptographers’ recent findings open the door. “The proof will be in the pudding,” he says. “I believe the sessions at Crypt 2004 show you can generate a hash on any content, not just random content. We’ll see if hackers will develop tools.”

Security experts say hackers usually come up with tools soon after a flaw is found. One executive at a company that sells security appliances, who requested not to be identified, points out that MD5 has been around since 1991 and is old by encryption standards.

“This could be the first crack in the dam,” he says. “A lot of cracks don’t unlock encryption directly, but they reduce its strength. Usually when that happens, you see tools come along to unlock it.”— Dave Raffo, Senior Editor, Byte and Switch