In linux.debian.devel, you wrote: > Worse, the existance of a practical md5(A+B+C)=3Dmd5(A+D+C) attack means > that it's not out of the question that there're md5(A+B)=3Dmd5(C+D) > attacks in the hands of particularly well resourced groups (which is > worse, since the version uploaded to the archive could then be entirely > innocent looking). Personally, I don't have any interest in making the > NSA's job any easier, or that of other signals intelligence groups.
While this is arguably true (the NSA claims to have developed asymmetric cryptography ten years ahead of Diffie/Hellman), it seems that nowadays the end of the cold war and improved corporate interest have shifted things, so I'm personally not _too_ worried about that. >> >> Moving away from MD5 is certainly not a bad idea, but it's not clear >> >> whether the alternatives are any better. Sure, everyone recommends >> >> SHA-256 at this stage, but nobody can give a rationale. >> > MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or >> > higher) are significantly harder to break in practice, >> So? If SHA256 is so much better, why is that nobody can prove it, or >> at least can provide some evidence which supports that claim? "The >> numbers are bigger" is the main argument at this point, which is >> awfully similar to the usual snake-oil arguments (although there is a >> slight difference, of course). > > SHA256 is better than SHA1 in the same way 2048 bit RSA keys are better > than 512 bit RSA keys. MD5 is broken, and isn't extensible. SHA1 is > fragile, but not broken, and is extensible. Do you have other > suggestions? I'd suggest the combination of several hash systems, e.g. RIPEMD-160, a SHA-based algorithm and possibly Tiger. >> > and there's nothing better yet. >> In terms of security, there are some better hash functions. =20 > > My understanding was that there aren't other hash functions that've had > remotely similar levels of cryptographic analysis to md5 and sha. IIRC, > the elliptic curve cryptography stuff was supposed to be similarly neat, > until people started analysing it seriously, at which point it broke. I'm not aware of any attacks beyond birthday attacks, which are still infeasible for the recommended key sizes of >= 160 bits. ECC has several patent problems, though. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]