Context: I have a directory full of sensitive company files. I want to compare t

Question

Context: I have a directory full of sensitive company files. I want to compare these files with a colleague at a remote location, without the need for a secure connection.

Is it safe for me to publicly publish a list of the SHA-1 hashes of these files?

I understand that it's impossible to reverse the hashing algorithm, but since the hashes are calculated from the original file, is there any chance that an attacker could perform some sort of a brute force attack to rebuild the original file? (Note that collisions in this case don't matter.) It's clearly impossible with a 20 page document, but could small files be vulnerable?

What about if I used a more secure hashing algorithm, like SHA512?

(I'm not very familiar with salting, but I think it wouldn't help in this situation because I don't care if an attacker identifies two files as the same, just if they identify the original contents.)

Explanation / Answer

The security you are thinking of with regards to the hash strength and the security you are talking about with the hashes on the internet are two different things. Hashes like SHA* are designed to work quickly so that files you send and the file you receive can be verified to be the same, however, this makes it easier brute force, due to this speed.

What it all boils down to is bits of entropy: the more bits of entropy the file has, the longer it will take to guess. I would say that if your file is more than a (arbitrary limit) 1kb, it should be reasonably safe from brute-forcing.

However, that without a secure connection, you cannot guarantee that the messages have not been modified in transit.

If you are reasonably sure that your hashes are not going to be modified in transit, this should be a reasonable way to compare the two copies of the file.

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.