EMC, Channel React To NetApp Charges

accusations

That object is theoretically protected from alterations and deletions because a change in any part of the data results in a different fingerprint.

However, at the recently concluded Crypto 2004 conference, a French scientist delivered a paper showing that it is possible to circumvent MD5 security technology by creating a duplicate file with the same hash but different contents.

Following the conference, Sunnyvale, Calif.-based NetApp sent an e-mail to the media saying that "customers should know that EMC's CAS implementation may be fundamentally flawed" because of its use of MD5. The e-mail added that, since the technology used by Centera can be hacked, it might not comply with SEC regulations.

In an interview with CRN, Val Bercovici, NetApp's chief technical architect for information life-cycle management data protection and compliance, said the company is not specifically targeting EMC. "We're just discussing the technology," Bercovici said. "We are raising the awareness [of the problem] because of the Crypto conference."

EMC sees things differently.

"I think [NetApp is] attempting to compete with our technology by painting a different picture of [Centera]," said Roy Sanford, EMC's vice president of content-addressed storage. "Either they're doing this dishonestly or intellectually ignorantly."

According to Sanford, Centera does not rely on MD5 hashing alone to guard against hacking. Instead, EMC uses MD5 as part of its hashing scheme, and "pre-pends" date and time information and a random number generator to turn MD5's 128-bit protection into a 256-bit globally unique ID.

Most EMC solution providers have yet to hear of the controversy. "Sounds like a Holy War to me," said Joe Cunningham, general manager at Computer Professionals International, an Albany, N.Y.-based solution provider.

Actually, it's more of a "press war," said Arsenio Batoy, president of Optical Laser, a value-added distributor of Centera, based in Huntington Beach, Calif.

EMC has been actively contacting the channel to dispel doubts about Centera, and customers have been quiet about the accusations, Batoy said. "We've not seen anything from the trenches where the customer is nervous," he said. "I've seen zero impact."

One EMC solution provider said that because Centera directly interfaces with applications, it can only be used with applications that address it through the appropriate APIs. That limits the ability to compromise the information.

And Mark Teter, CTO of Denver-based solution provider Advanced Systems Group, said while it may be theoretically possible to hash an e-mail to replace the one originally being stored, there are other ways to get around the flaw in MD5.

"It's a game with security," he said. "How paranoid can you be? If it has to do with government, very paranoid."

Still, when it comes to security, paranoia can be healthy.

"Archival is a brave new world," Teter said. "The positive is, we're talking about it."

JOHN LONGWELL contributed to this story.