[Cryptography] let's kill md5sum!
Jerry Leichter
leichter at lrw.com
Mon Jun 8 05:51:49 EDT 2015
On Jun 7, 2015, at 9:25 AM, Heinz Diehl <htd+ml at fritha.org> wrote:
> There are many use cases where its vulnerabilities are not a weakness, as e.g.
> in data mining, probabilistic string and pattern matching and many
> more. So why remove it (and breaking a lot of software)?
>
> The point is that its use as a cryptographic hash should be abandoned,
> but not its use in general.
Recall Zooko's comment in the base post: "I did a quick and dirty benchmark ... and was delighted that b2sum (in BLAKE2sp mode) was almost twice as fast as md5sum on my Intel Core-i5 laptop!"
It's *possible* that one could find other cases where md5sum is actually faster, but it seems unlikely: Even when it was first introduced, MD5 was the "slower but more conservative hash, compared to MD4". (Not long after, MD4 was broken badly enough that its use security-related applications never caught on - though in non-security use cases it was perhaps a better alternative!)
Given this, the only possible reason in *any* use case to choose MD5 is to compare to existing, historical records of checksums. It's hard to judge how many of these are out there - and, more to the point, how many are out there *and use md5sum as a command line utility*, rather than using the MD5 algorithm internally. Probably not many, would be my guess.
BTW, Zooko's goal, broad as it is, barely scratches the surface. I personally never think of using md5sum - "openssl dgst" is probably more broadly available and by default it provides a MD5 checksum! (Of course, openssl tries to cover the historical bases - it also supports MD2, among other long-dead algorithms.) If we're talking about killing md5sum, we should simultaneously be planning to change the default for openssl dgst.
Then there's the flip side: There are plenty of sites on the Internet that publish the MD5 checksums of things like software distributions to allow people to check that they have an untampered-with download. This is *exactly* the use case most subject to significant attack! I can't recall the last time I saw a site that provided *only* MD5 - most provide both MD5 and SHA1 - but as long as the checksums are there and the md5sum and openssl dgst command lines provide for quick checks ... people will rely on them.
-- Jerry
More information about the cryptography
mailing list