> On 20 Jan 2017, at 15:46, Ben Laurie <b...@links.org> wrote: > > On 20 January 2017 at 14:36, Dirk-Willem van Gulik <di...@webweaving.org> > wrote: >> On 20 Jan 2017, at 13:00, Ben Laurie <b...@links.org> wrote: >> >>> Why do you need the obsolete hash functions? >> >> I am still in the middle of some inventory work with the help of a few >> friendly enterprise & cloud folks. >> >> But it is nog looking good -- so far its seems that: >> >> - md4 is rarely used (i,e.a actually called). >> >> - md5 is very often used for >> - salted password >> - creating all sorts of unguessable IDs. >> - generation of a randomish token/digest >> - creating/protecting session cookies >> - creating 12/23/34/1221231.txt file trees or similar equal wear file >> / tmp file fanout. >> - checksumming a file along the lines of taking an fstat() snapshot. >> - commonly used UUID gen. >> - content-digest generation for things like cache headers, imap/sieve >> breakout. >> - file integrity. >> >> - sha1 is used a factor 10x less. Mostly: >> - salted password >> - creating/protecting session cookies >> >> - sha256 && 512 seems to be used about as often md4. >> >> Though nothing stopping us from having a snotty warning/#define to >> discourage use - and wack the 60 or so distinct places/ where MD5 is >> currently used in subversion/httpd and friends and upping this to at least >> sha256. >> >> I guess cryptographically there is little point between an MD5 and the last >> 16 bytes of a SHA256 ? Correct ? > > Not sure what question you're asking?
So MD5 seems by far the dominant digest method. MOST is actually just to get a nice hash/randmomish thing. Or just simple integrety. Only in a few cases does it actually need to be an MD5 for interoperability (E.g. the Content-MD5 header of htttp, the salted-MD5 against an existing htpassword file). In most other cases it could silently be replaced by the last 16 bytes of a SHA256 (and in quite a few cases; buffer issues permitting; in a full SHA256). So is, from a security perspective, the last 16 bytes of a SHA256 over a given datablock equivalent to a MD5 over the same datablock. In terms of being able to determine the outcome; i.e. produce clashing hashes/synthesise data with the same (partial) hash ? Or are the last* 16 bytes of a SHA256 'harder' to control ? Because in that case we get some nice middle ground, Dw. Or an XOR fold of all its byte into 16.
