Bugtraq mailing list archives
Re: MD5 To Be Considered Harmful Someday
From: Dan Kaminsky <dan () doxpara com>
Date: Wed, 08 Dec 2004 13:44:08 -0800
SHA-1 is truncatable to 128 bits for applications that have limited space available for hashes. This limits the birthday paradox attack to a 2^64 effort, but MD5 isn't anywhere close to that anymore. (Incidentally, the output of birthday attack is an unchosen collision, just like Wang's.)Since you can't possibly mean absolutely suitable, can you clarify your basis for suitability? I'm not asking for a technical proof, just the general metrics used to make the determination. If 160 bit SHA1 is good enough for one application but not another, what does one need to know to decide for their own application?
SHA-1 isn't perfect, but we haven't known its been broken for a decade like we have for MD5.
--Dan
Current thread:
- Re: MD5 To Be Considered Harmful Someday, (continued)
- Re: MD5 To Be Considered Harmful Someday Keith Oxenrider (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Paul Wouters (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Adam Shostack (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Pavel Kankovsky (Dec 09)
- Re: MD5 To Be Considered Harmful Someday Solar Designer (Dec 13)
- Re: MD5 To Be Considered Harmful Someday George Georgalis (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Today Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Today Pavel Machek (Dec 08)
- Re: MD5 To Be Considered Harmful Today Dan Kaminsky (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Jack Lloyd (Dec 08)
- Re: MD5 To Be Considered Harmful Someday Jack Lloyd (Dec 08)