On Tue, Oct 20, 2015 at 8:00 AM, Joachim Strömbergson <joac...@strombergson.com> wrote: > > Esp in embedded space, md5 is still very, very common even in new > designs. And SHA-1 is the new black. > > A typical setup is that someone has found out that there is a secure > hash function called md5 and decided to implement it in their new > system. When told that md5 is in fact broken since ages, the response is > usually a at the moment-decision that it is not used for security, and > that the application doesn't really have any security implications (i.e. > that the service performed by the system has no value).
Yep. Actually the post-hoc rationalization is usually that collision-resistance isn't needed, only (2nd-)pre-image resistance. Some of the time this is actually true, but I think the people making the claim don't really know whether it is true. I think what they typically do is spend 60 seconds trying to imagine how they could attack their own system using collisions, and then having failed to find such an attack, they conclude that collision-resistance isn't needed for their system. Here's one of my favorite examples of this methodology, from Linus Torvald: http://git.vger.kernel.narkive.com/9lgv36un/zooko-zooko-com-revctrl-colliding-md5-hashes-of-human-meaningful#post2 So, my attempted contribution to this pattern was to help specify BLAKE2, so that instead of telling people "MD5 is broken! Switch to this secure but slower hash function!" we could tell them "MD5 is broken! Switch to this secure but faster hash function!" https://blake2.net/acns/slides.html It remains to be seen if they are any more responsive to the new argument than they have been for the last couple of decades to the old argument. Regards, Zooko _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography