[pacman-dev] MD5/SHA* why?
Xavier
shiningxc at gmail.com
Thu Jul 5 21:32:05 EDT 2007
On Thu, Jul 05, 2007 at 03:42:42PM -0700, Jason Chu wrote:
>
> We are at an inroads in hashing algorithm theory. All the current hashing
> algorithms have flaws. It's also likely that any new hash algorithms will
> have flaws as well.
>
Maybe the information I had is already outdated, since all this stuff
moves pretty quickly :)
What are the flaws of all the SHA-224/256/384/512 hashes ?
see this for example :
http://en.wikipedia.org/wiki/SHA-1#SHA_sizes
Or are these the new algorithms ? They could indeed have flaws as well,
but still say more secure than the current ones, even after flaws
are found.
> If we just trusted md5s or sha1s, then it would be less secure and more
> complicated, but because we look at both md5s and sha1s *together* that
> things improve.
>
I'm not convinced that
1) md5 or sha1 alone aren't enough secure (for our use case)
2) combining md5 and sha1 is better than eg SHA-256
> An analogy, think of two sheets with holes in them. You can look through
> each sheet and see the light on the other side, but if you lay the two
> sheets on top of each other a lot less light is visible. Because we're
> considering both hashing algorithms they cover some of the other's
> failings.
>
In that case, you move both holes so that they match (with padding) :)
But yes, that's still the general case, not pacman one.
> I'm all for making less complication though... maybe a more abstract hash
> API?
>
If we need to keep several hashing algorithm, I think this would be great.
More information about the pacman-dev
mailing list