On 20 January 2017 at 14:52, Dirk-Willem van Gulik <di...@webweaving.org> wrote: > >> On 20 Jan 2017, at 15:46, Ben Laurie <b...@links.org> wrote: >> >> On 20 January 2017 at 14:36, Dirk-Willem van Gulik <di...@webweaving.org> >> wrote: >>> On 20 Jan 2017, at 13:00, Ben Laurie <b...@links.org> wrote: >>> >>>> Why do you need the obsolete hash functions? >>> >>> I am still in the middle of some inventory work with the help of a few >>> friendly enterprise & cloud folks. >>> >>> But it is nog looking good -- so far its seems that: >>> >>> - md4 is rarely used (i,e.a actually called). >>> >>> - md5 is very often used for >>> - salted password >>> - creating all sorts of unguessable IDs. >>> - generation of a randomish token/digest >>> - creating/protecting session cookies >>> - creating 12/23/34/1221231.txt file trees or similar equal wear >>> file / tmp file fanout. >>> - checksumming a file along the lines of taking an fstat() snapshot. >>> - commonly used UUID gen. >>> - content-digest generation for things like cache headers, >>> imap/sieve breakout. >>> - file integrity. >>> >>> - sha1 is used a factor 10x less. Mostly: >>> - salted password >>> - creating/protecting session cookies >>> >>> - sha256 && 512 seems to be used about as often md4. >>> >>> Though nothing stopping us from having a snotty warning/#define to >>> discourage use - and wack the 60 or so distinct places/ where MD5 is >>> currently used in subversion/httpd and friends and upping this to at least >>> sha256. >>> >>> I guess cryptographically there is little point between an MD5 and the last >>> 16 bytes of a SHA256 ? Correct ? >> >> Not sure what question you're asking? > > So MD5 seems by far the dominant digest method. MOST is actually just to get > a nice hash/randmomish thing. Or just simple integrety. > > Only in a few cases does it actually need to be an MD5 for interoperability > (E.g. the Content-MD5 header of htttp, the salted-MD5 against an existing > htpassword file). > > In most other cases it could silently be replaced by the last 16 bytes of a > SHA256 (and in quite a few cases; buffer issues permitting; in a full SHA256). > > So is, from a security perspective, the last 16 bytes of a SHA256 over a > given datablock equivalent to a MD5 over the same datablock. In terms of > being able to determine the outcome; i.e. produce clashing hashes/synthesise > data with the same (partial) hash ? > > Or are the last* 16 bytes of a SHA256 'harder' to control ?
Last 16 of SHA-256 is stronger than MD5 because, unlike MD5, it hasn't been broken. > Because in that case we get some nice middle ground, > > Dw. > > Or an XOR fold of all its byte into 16. > > > > > > > >
