On 20 January 2017 at 14:36, Dirk-Willem van Gulik <di...@webweaving.org> wrote:
> On 20 Jan 2017, at 13:00, Ben Laurie <b...@links.org> wrote:
>
>> Why do you need the obsolete hash functions?
>
> I am still in the middle of some inventory work with the help of a few 
> friendly enterprise & cloud folks.
>
> But it is nog looking good -- so far its seems that:
>
> -       md4 is rarely used (i,e.a actually called).
>
> -       md5 is very often used for
>         - salted password
>         - creating all sorts of unguessable IDs.
>         - generation of a randomish token/digest
>         - creating/protecting session cookies
>         - creating 12/23/34/1221231.txt file trees or similar equal wear file 
> / tmp file fanout.
>         - checksumming a file along the lines of taking an fstat() snapshot.
>         - commonly used UUID gen.
>         - content-digest generation for things like cache headers, imap/sieve 
> breakout.
>         - file integrity.
>
> -       sha1 is used a factor 10x less. Mostly:
>         - salted password
>         - creating/protecting session cookies
>
> -       sha256 && 512 seems to be used about as often md4.
>
> Though nothing stopping us from having a snotty warning/#define to discourage 
> use - and  wack the 60  or so distinct places/ where MD5 is currently used in 
> subversion/httpd and friends and upping this to at least sha256.
>
> I guess cryptographically there is little point between an MD5 and the last 
> 16 bytes of a SHA256 ? Correct ?

Not sure what question you're asking?

>
> As in a lot of above case - the MD5 is not exposed - does not actually need 
> to be an MD5 for interoperability purposes.
>
>
> Dw.
>
>

Reply via email to