Subject: Checksum for packages
To: None <tech-pkg@netbsd.org>
From: Dominik Rothert <dr@astorit.com>
List: tech-pkg
Date: 12/20/2000 13:14:13
According to a text in CryptoBytes (Vol 2 No 2, Summer 1996),
MD5 is not the best solution for confirming the retrieved distfiles
match the original files. I suppose to use SHA1 instead of MD5,
since this algorithm seems to be more secure for a longer period
of time. By the way, OpenBSD people decided to use SHA1, too.
Dobbertin wrote:
| Conclusions
|
| The presented attack does not yet threaten practical applications of
| MD5, but it comes rather close. In view of the flexibility of the
| new analytic techniques it would be unwise to assume that the attack
| could not be improved. Ron Rivest [16] commented on the status of
| MD4, after two-round attacks had been found, that it is at the
| edge in terms of risking suc-cessful cryptanalytic attack. Today
| this assessment characterizes the status of MD5. Therefore we
| suggest that in the future MD5 should no longer be implemented in
| applications like signature schemes, where a collision-resistant
| hash function is required. According to our present knowledge,
| the best recommendations for alternatives to MD5 are SHA-1 and
| RIPEMD-160. If essentially weaker cryptographic properties than
| collision-resistance suffice then the use of MD5 might still be
| secure. MD5 can still be used as a one-way function. The HMAC due to
| Bellare, Canetti, and Krawczyk [3, 4] is not touched by the recent
| analytic progress. Future research should analyse hash functions
| with respect to properties like pseudo-random behaviour, which are
| required in message authentication constructions.
Why are we still using MD5?
Regards,
Dominik
--
/* Dominik Rothert | dr@astorit.com *
* A S T O R I T | http://www.astorit.com/ *
* Hohenzollernring 52 | fon +49-221-251440 *
* 50672 Cologne, Germany | fax +49-221-251443 */:wq!