[Cryptography] let's kill md5sum!
RB
aoz.syn at gmail.com
Mon Jun 8 10:06:55 EDT 2015
On Fri, Jun 5, 2015 at 8:22 PM, Zooko Wilcox-OHearn
<zooko at leastauthority.com> wrote:
> Dear Perry's Crypto List folks:
>
> The time has come to kill off md5sum.
Please forgive my non-cryptographer ignorance, but what warrants
wholesale elimination as opposed to, say, unambiguous deprecation (as
various tools have adopted with --i-really-know-what-i-am-doing
arguments)?
As I understand it, MD5's worst break is an attack that takes two
dissimilar files and appends to _both_ until their MD5 checksum
matches. This is undeniably bad, but it presumes that Mallory has the
ability to alter the original, that size isn't checked, and that
metadata (like MD5 and size) is universally malleable. None of these
qualifications excuse MD5, but do we realistically expect greater
future breakage? Say, the ability to generate an arbitrary collision
without modifying the "original"?
I ask because there are many situations where the MD5 (and size) of a
given file is still stored and necessary, but the original file is not
available, mostly for legal and political reasons. No new usage of
MD5 is warranted, but eliminating md5sum altogether seems heavy-handed
and itself unwarranted.
More information about the cryptography
mailing list