EMC Corp.’s Centera disk array is under some sort of threat now that the encryption algorithm that it uses has been shown to be vulnerable, but it is not clear how real the threat is.
The algorithm is called MD5, and vulnerabilities to it were demonstrated at the Crypto 2004 Conference in California last week. Alongside other products, MD5 is used in the Centera, a large-scale ATA disk array that has been bought by many customers to achieve compliance with data retention regulations.
EMC has sold over 7PB of a Compliance Edition of the Centera – something in the order of $140 million of hardware if sold at $20 per gigabyte. If MD5 has been compromised, then so could be the compliance status of the Centera, analysts said.
It’s too soon to know either way, said Chuck Standerfer, analyst at the Evaluator Group. Peter Gerr, analyst at the Enterprise Strategy Group, said: The evidence I’ve seen is conflicting in some cases, and in some cases inconclusive.
But Gerr said he is skeptical that real problems will be generated. This is a big story in the academic world, but I’m not certain about its impact in the commercial world.
EMC insisted that there is no risk that the SEC or other bodies will tell Centera users that they are no longer compliant. There are multiple reasons why they won’t do that, said Roy Sanford, vice president at EMC.
Even if the MD5 algorithm does have to be abandoned – something extremely unlikely to happen according to EMC – the company says the Centera can be configured to use an existing version of MD5 extended with proprietary technology, called MD5 Plus. Switching from an existing MD5 set-up to MD5 Plus is a piece of cake according to Sanford.
EMC stressed that the Centera uses MD5 for data authentication and addressing, not for security. The Centera uses the algorithm not to encrypt or scramble data, but to produce a digital fingerprint or hash from each data file stored.
The hash is created from the content of the file, so if contents are changed they no longer match the hash and tampering should be evident.
Last week they couldn’t duplicate fingerprints of existing files, they could only create collisions [duplicates] of random objects, said Sanford.