lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041208213056.GB1161@sta>
Date: Wed, 8 Dec 2004 16:30:56 -0500
From: "George Georgalis" <george@...is.org>
To: David Schwartz <davids@...master.com>
Cc: gandalf@...ital.net, Dan Kaminsky <dan@...para.com>,
	BugTraq <bugtraq@...urityfocus.com>
Subject: Re: MD5 To Be Considered Harmful Someday


On Tue, Dec 07, 2004 at 08:01:13PM -0800, David Schwartz wrote:

>       Yes. At this point, MD5 should no longer be used for
>applications where an adversary might have access to the data that
>is being signed. That means it's no longer suitable for signing
>certificates or authenticating data sent over a peer-to-peer
>network. SHA1 with 160-bits is still, as far as we know, suitable for
>all of these purposes.

Since you can't possibly mean absolutely suitable, can you clarify your
basis for suitability? I'm not asking for a technical proof, just the
general metrics used to make the determination.

If 160 bit SHA1 is good enough for one application but not another, what
does one need to know to decide for their own application?

// George


-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george@...is.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ