> On 20 Jan 2017, at 16:02, Ben Laurie <b...@links.org> wrote: > > On 20 January 2017 at 14:52, Dirk-Willem van Gulik <di...@webweaving.org> > wrote: >> >>> On 20 Jan 2017, at 15:46, Ben Laurie <b...@links.org> wrote: >>> >>> On 20 January 2017 at 14:36, Dirk-Willem van Gulik <di...@webweaving.org> >>> wrote: >>>> On 20 Jan 2017, at 13:00, Ben Laurie <b...@links.org> wrote: >>>> >>>>> Why do you need the obsolete hash functions? >>>> >>>> I am still in the middle of some inventory work with the help of a few >>>> friendly enterprise & cloud folks. >>>> >>>> But it is nog looking good -- so far its seems that: >>>> >>>> - md4 is rarely used (i,e.a actually called). >>>> >>>> - md5 is very often used for >>>> - salted password >>>> - creating all sorts of unguessable IDs. >>>> - generation of a randomish token/digest >>>> - creating/protecting session cookies >>>> - creating 12/23/34/1221231.txt file trees or similar equal wear >>>> file / tmp file fanout. >>>> - checksumming a file along the lines of taking an fstat() snapshot. >>>> - commonly used UUID gen. >>>> - content-digest generation for things like cache headers, >>>> imap/sieve breakout. >>>> - file integrity. >>>> >>>> - sha1 is used a factor 10x less. Mostly: >>>> - salted password >>>> - creating/protecting session cookies >>>> >>>> - sha256 && 512 seems to be used about as often md4. >>>> >>>> Though nothing stopping us from having a snotty warning/#define to >>>> discourage use - and wack the 60 or so distinct places/ where MD5 is >>>> currently used in subversion/httpd and friends and upping this to at least >>>> sha256. >>>> >>>> I guess cryptographically there is little point between an MD5 and the >>>> last 16 bytes of a SHA256 ? Correct ? >>> >>> Not sure what question you're asking? >> >> So MD5 seems by far the dominant digest method. MOST is actually just to get >> a nice hash/randmomish thing. Or just simple integrety. >> >> Only in a few cases does it actually need to be an MD5 for interoperability >> (E.g. the Content-MD5 header of htttp, the salted-MD5 against an existing >> htpassword file). >> >> In most other cases it could silently be replaced by the last 16 bytes of a >> SHA256 (and in quite a few cases; buffer issues permitting; in a full >> SHA256). >> >> So is, from a security perspective, the last 16 bytes of a SHA256 over a >> given datablock equivalent to a MD5 over the same datablock. In terms of >> being able to determine the outcome; i.e. produce clashing hashes/synthesise >> data with the same (partial) hash ? >> >> Or are the last* 16 bytes of a SHA256 'harder' to control ? > > Last 16 of SHA-256 is stronger than MD5 because, unlike MD5, it hasn't > been broken.
Ok so if we had a special #ifdef for 'TRUE_MD5 and would manually tweak/mark up the 2 or 3 places that we know we need a real MD5 - we could have a 'fiddle' mode where we silently return a better 'md5' in the places where we would like to use a SHA256 but it is just too much hassle to adjust things. Dw.
