The listbot rejected this, so I am resending it... > From: "Simson L. Garfinkel" <simsongat_private> > Date: Thu Jan 30, 2003 7:28:06 PM US/Eastern > To: "Holt, Albert" <Albert.Holtat_private> > Cc: "Simson L. Garfinkel" <slgat_private>, Matt Scarborough > <vexversaat_private>, Chris Reining <creiningat_private>, "Mark > G. Spencer" <mspencerat_private>, forensicsat_private > Subject: RE: MD5 Exploit Database? > > > I understand the argument, but I do not agree with it. > > 1. I do not think that SHA-1 can be used to validate the results of > MD5. What do you do if they disagree? What does it mean if they agree? > > 2. I do not think that we are likely to find a fatal flaw in MD5 that > allows people to craft arbitrary MD5 results in text files or > executables. Perhaps in random binary data, but probably not. But even > if we did, more than 10 years' experience with MD5 shows that it is > very useful on its own for real-world applications. Being able to > craft a collision wouldn't change that. > > 3. The extra CPU time is significant, as is the extra storage time. > Computing the hash codes for all of the files on my computer is a > CPU-bound activity, not a disk-bound activity. It makes a difference > to me if something takes 4 hours vs. 1 hour. Computers will get > faster, but even 1 hour vs. 15 minutes makes a significant difference. > > However, I'm willing to be convinced otherwise. > > > On Thursday, January 30, 2003, at 07:43 AM, Holt, Albert wrote: > >> There are a number of reasons why it is prudent to calculate SHA-1 in >> addition to md5. They can be used to some degree to compare and >> validate >> each other's results. And what if some morning it is discovered that >> there >> is a fatal flaw in md5, and that the results cannot be trusted? You >> already >> have Plan B. Commodity compute power is cheap, as is storage for a >> bunch of >> 128/160 bit outputs. >> >> al holt >> NSIRC >> ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 05:33:29 PST