Re: Does there exist an utility to compare 2 files on 2 servers without downloading those?

David Schwartz wrote:
On May 18, 11:17 am, John Reiser <jreise...@xxxxxxxxxxx> wrote:
David Schwartz wrote:
You can do a secure hash first, and if they match exactly, you're
done.

Absolutely NOT! Having the same hash is merely a collision.
For a "secure" hash the probability of a collision is close to
2 ** -(bit length of hash)
This is very small, but NOT ZERO. By the pigeon hole principle,
there must exist collisions as long as the file lengths exceed
the hash length.

different hashes ==> different
same hashes ==> unknown (except possibly when both files
are at most the size of the hash)

You're being an idiot. Even if you do a full compare, you still can't
be sure. A cosmic ray may have flipped a bit in transmission.

For a hash like SHA-256, the probability of a hash collision is orders
of magnitude less than a failure that would cause a full compare never
to take place, to take place over only part of the data, or to report
a correct comparison where there is none.

That assumes that the threat model is "random" differences. Some users
must consider deliberate attacks by highly motivated, resourceful,
and patient adversaries. For instance, it is somewhat easy to pre-compute
and sort the hashes of all 2**40 files of length 5 (five bytes). If the
hash from some user file matches, then the attacker delivers the corresponding
5-byte file instead of the original user file. There are real users today
who face large penalties if they ignore such a threat.
A user should demand [at least] both the same length and the same hash.

--
.

Relevant Pages