There are a number of reasons why it is prudent to calculate SHA-1 in addition to md5. They can be used to some degree to compare and validate each other's results. And what if some morning it is discovered that there is a fatal flaw in md5, and that the results cannot be trusted? You already have Plan B. Commodity compute power is cheap, as is storage for a bunch of 128/160 bit outputs. al holt NSIRC -----Original Message----- From: Simson L. Garfinkel [mailto:slgat_private] Sent: Saturday, January 25, 2003 9:30 AM To: Matt Scarborough; Simson L. Garfinkel Cc: Chris Reining; Mark G. Spencer; forensicsat_private Subject: Re: MD5 Exploit Database? Matt, Thanks for responding to this. Do you think that I should go ahead with the MD5 collection project? It doesn't seem like anything else is doing quite this thing, and I think that it would be useful. Do you think that I shoudl collect both SHA-1 and MD5 codes? ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 05:30:26 PST