John Hardin wrote: > Bob Proulx wrote: > >If MD5 is the optimal size then it is the right size to use > >regardless of vulnerabilities when used in a security critical > >role. > > One of my core points was this _isn't_ a security-critical role. I > hope you mistyped there, Bob.
I think we are in agreement. I don't think I mistyped anything. I read that through several times just now and it reads okay to me. But the author is always blind to their own mistakes. Let me clarify by saying it differently. I acknowledge that it is possible to generate hash collisions for md5 hashes making it no longer suitable for use in security applications. But since this isn't being talked about in a security role that restriction doesn't apply. It is not relevant to the discussion. With that in mind then if md5 is good algorithm to use then it is a good algorithm to use. Let's not place additional unrelated restrictions upon it. Using heavy algorithms inappropriately just slows down programs without need. It is inefficient and inelegant. I pretty much agreed with everything else you so eloquently wrote. With the exception of this following item. > To digress, I would suggest the solution to that (and what I wish > PGP had implemented from day one) is to sign using two different > cryptographic hash algorithms (e.g. MD5 _and_ SHA1). It's extremely > unlikely that two different hash algorithms would have the same > collision failure mode - i.e. it would be effectively impossible to > generate a single plaintext that would generate the desired hashes > for _both_ algorithms. Using two algorithms combined is really just another algorithm itself. Call it md5sha1 and there you have it. If such came into wide use it would also be a target of study and attack. And counter intuitively sometimes the very act of having the same plain text encrypted using two different algorithms actually weakens the result! Bob
