apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: SHA256 and friends.
Date Fri, 20 Jan 2017 14:36:10 GMT
On 20 Jan 2017, at 13:00, Ben Laurie <ben@links.org> wrote:

> Why do you need the obsolete hash functions?

I am still in the middle of some inventory work with the help of a few friendly enterprise
& cloud folks.

But it is nog looking good -- so far its seems that:

-	md4 is rarely used (i,e.a actually called).

-	md5 is very often used for
	- salted password
	- creating all sorts of unguessable IDs.
	- generation of a randomish token/digest 
	- creating/protecting session cookies
	- creating 12/23/34/1221231.txt file trees or similar equal wear file / tmp file fanout.
	- checksumming a file along the lines of taking an fstat() snapshot.
	- commonly used UUID gen.
	- content-digest generation for things like cache headers, imap/sieve breakout.
	- file integrity.

-	sha1 is used a factor 10x less. Mostly:
	- salted password
	- creating/protecting session cookies

-	sha256 && 512 seems to be used about as often md4.

Though nothing stopping us from having a snotty warning/#define to discourage use - and  wack
the 60  or so distinct places/ where MD5 is currently used in subversion/httpd and friends
and upping this to at least sha256.

I guess cryptographically there is little point between an MD5 and the last 16 bytes of a
SHA256 ? Correct ?

As in a lot of above case - the MD5 is not exposed - does not actually need to be an MD5 for
interoperability purposes. 


View raw message