Cocoa mail archive
Re: [NSPipe pipe] returning nil (running out of filehandles?)
FROM : John Stiles
DATE : Wed Apr 02 18:12:28 2008
Jens Alfke wrote:
>
>
> Also, you're aware that MD5 shouldn't be used for anything
> security-related anymore? Last I heard it's pretty close to being
> fully broken. SHA-1 is a lot more secure, and has a larger output
> which itself makes collisions less likely.
"Fully broken"? I don't know about that. Simpler variants—I think it was
MD4?—have some kind of non-threatening attacks, e.g. the keyspace for
finding a packet with the same signature is several powers of 2 less
than the full keyspace. But the matching packet will basically be
identical except a handful of bits are flipped. And AFAIK nobody is even
remotely close to finding a technique which would let you write
arbitrary data and then tack on a few bytes to get the signature you
want, and that's what I'd call "fully broken," at least that's what
you'd need to find in order to make an exploit. Nobody has done any of
this for real MD5 yet as far as I know. (In fact, I am not sure that
anyone has found any two packets that generate an identical MD5 signature!)
If you are not CPU bound, SHA-1 is probably better anyway, but don't
feel obligated to use it if it turns out to be a performance concern. I
think it's going to be quite some years before we see a viable approach
for hacking MD5 in such a way that it would create an actual security
concern.
DATE : Wed Apr 02 18:12:28 2008
Jens Alfke wrote:
>
>
> Also, you're aware that MD5 shouldn't be used for anything
> security-related anymore? Last I heard it's pretty close to being
> fully broken. SHA-1 is a lot more secure, and has a larger output
> which itself makes collisions less likely.
"Fully broken"? I don't know about that. Simpler variants—I think it was
MD4?—have some kind of non-threatening attacks, e.g. the keyspace for
finding a packet with the same signature is several powers of 2 less
than the full keyspace. But the matching packet will basically be
identical except a handful of bits are flipped. And AFAIK nobody is even
remotely close to finding a technique which would let you write
arbitrary data and then tack on a few bytes to get the signature you
want, and that's what I'd call "fully broken," at least that's what
you'd need to find in order to make an exploit. Nobody has done any of
this for real MD5 yet as far as I know. (In fact, I am not sure that
anyone has found any two packets that generate an identical MD5 signature!)
If you are not CPU bound, SHA-1 is probably better anyway, but don't
feel obligated to use it if it turns out to be a performance concern. I
think it's going to be quite some years before we see a viable approach
for hacking MD5 in such a way that it would create an actual security
concern.
