apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@links.org>
Subject Re: SHA256 and friends.
Date Fri, 20 Jan 2017 14:46:18 GMT
On 20 January 2017 at 14:36, Dirk-Willem van Gulik <dirkx@webweaving.org> wrote:
> On 20 Jan 2017, at 13:00, Ben Laurie <ben@links.org> wrote:
>
>> Why do you need the obsolete hash functions?
>
> I am still in the middle of some inventory work with the help of a few friendly enterprise
& cloud folks.
>
> But it is nog looking good -- so far its seems that:
>
> -       md4 is rarely used (i,e.a actually called).
>
> -       md5 is very often used for
>         - salted password
>         - creating all sorts of unguessable IDs.
>         - generation of a randomish token/digest
>         - creating/protecting session cookies
>         - creating 12/23/34/1221231.txt file trees or similar equal wear file / tmp file
fanout.
>         - checksumming a file along the lines of taking an fstat() snapshot.
>         - commonly used UUID gen.
>         - content-digest generation for things like cache headers, imap/sieve breakout.
>         - file integrity.
>
> -       sha1 is used a factor 10x less. Mostly:
>         - salted password
>         - creating/protecting session cookies
>
> -       sha256 && 512 seems to be used about as often md4.
>
> Though nothing stopping us from having a snotty warning/#define to discourage use - and
 wack the 60  or so distinct places/ where MD5 is currently used in subversion/httpd and friends
and upping this to at least sha256.
>
> I guess cryptographically there is little point between an MD5 and the last 16 bytes
of a SHA256 ? Correct ?

Not sure what question you're asking?

>
> As in a lot of above case - the MD5 is not exposed - does not actually need to be an
MD5 for interoperability purposes.
>
>
> Dw.
>
>

Mime
View raw message