[EMAIL PROTECTED] wrote: > but the /. post talks about using SHA-256, and I've seen some sites > also using GPG.
FYI, signing a file with GPG might still be "vulnerable" to any issues with MD5. You sign a file by first hashing it, then encrypting the hash value with your private key -- so if the hash function that you choose allows attackers to generate collisions easily (a preimage or second- preimage attack -- e.g., if you "hash" it with CRC32), then they can change the file in certain ways, and the signature will still validate on the changed version. Note that the issues with MD5 do not (yet) allow preimage or second-preimage attacks, though. (But if someone persuades you to sign a file that they generated, they may have generated that file so that it has the same hash value as a different file that they want to forge your signature on. The easiest defense against this is to change a few of the bytes in any file you sign before you sign it, unless you created it yourself.) If the signing program uses SHA-1 or SHA-256 (if that's an option) or SHA-512 (again, if that's an option), then it's probably a bit better than MD5. It appears that GPG uses SHA-1 as its default hash algorithm (or at least, my version of Enigmail tells it to use SHA-1). > According to that wikipedia article, computing power is now such that > 128 bit encryption is susceptible to brute force attacks. ... I would not say that (and after reading the article, I'm not sure where you got it from, either). I don't believe that AES-128, for example, is vulnerable to brute-forcing quite yet, although as machines get faster, it'll get closer. Birthday attacks, for instance, don't apply to encryption functions. (MD5 does not do encryption, either, it does hashing. ;-) ) However, after all that, I do believe that providing the sha1sum of any files we host would be prudent. (Whether that's in addition to the md5sum, or not, wouldn't really matter.)
signature.asc
Description: OpenPGP digital signature
-- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page