[Cryptography] let's kill md5sum!

Zooko Wilcox-OHearn zooko at leastauthority.com
Fri Jun 5 22:22:09 EDT 2015


Dear Perry's Crypto List folks:

The time has come to kill off md5sum. Here's the letter I wrote to the
GNU coreutils project advocating replacing md5sum with b2sum (BLAKE2)
which they seem to be in favor of:

http://lists.gnu.org/archive/html/coreutils/2015-05/msg00048.html

I did a quick and dirty benchmark (attached to that email as a
postscript) and was delighted that b2sum (in BLAKE2sp mode) was almost
twice as fast as m5sum on my Intel Core-i5 laptop!

Do you all know of other implementations of md5sum besides the GNU
coreutils one?

One snag that I've noticed is that some people tell me "Okay, we're
going to switch from MD5 to BLAKE2, but our hash values have to fit
into the fields where we used to store our MD5 hashes.". I tried my
hardest to explain that no matter how good the hash function is,
truncating the output to 128 bits is going to leave users potentially
vulnerable to collision attacks at some point down the road. The
response was "Well, we'll just take our chances, because we can't
change the schema.".

I've been thinking that I'm going to go back to those folks and ask if
their schema is hex-encoded MD5 hashes (32 chars), and if so if they
could change their schema to base-64 encoded BLAKE2 hashes. That would
give them 192 bits, which would be enough to make me stop worrying
about their users. :-)

Any suggestions?

Regards,

Zooko, the BLAKE2 Publicity Officer


More information about the cryptography mailing list