On Sat, Nov 26, 2005 at 09:13:02AM +1000, Anthony Towns wrote: >> Moving away from MD5 is certainly not a bad idea, but it's not clear >> whether the alternatives are any better. Sure, everyone recommends >> SHA-256 at this stage, but nobody can give a rationale. > MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or > higher) are significantly harder to break in practice, and there's > nothing better yet.
Just a comment here for those who are not used to hash functions: "Broken" here means that you can generate collisions faster than using the birthday attack (2^64 for MD5, 2^80 for SHA-1). It does not have to mean that you can do _really_ evil stuff, like generate a second file with the same MD5 hash as a given file (so-called "second preimage", IIRC) and to the best of my knowledge, nobody has done so yet). However, there's a long way from "you can't generate a valid .deb with a given md5sum easily" to "SHA-256 is no better than MD5". You can generate an MD5 collision in four hours on a standard desktop computer today; you're nowhere near that for SHA-1, and SHA-256 is still AFAIK not broken (although it relies on the same basic structure as MD5 and SHA-1). All three might eventually be truly broken, but you can bet that MD5 will be the first to go. If you use SHA-256 today instead of MD5, you probably buy yourself a few extra years, which you can use to smooth out the transition to the next hash function when the world advances. /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
