On 18/09/11 23:38, Roan Kattouw wrote:
On Mon, Sep 19, 2011 at 12:12 AM, Anthonywikimail@inbox.org wrote:
Did you try any of the non-secure hash functions? If you're going to go with MD5, might as well go with the significantly faster CRC-64.
I included MD5 because MediaWiki currently uses it for some things, and SHA-1 because it had been suggested in this discussion. I didn't feel the need to include anything non-cryptographic because points have been made that choosing a cryptographic hash function would be wise (because the feature might be used for something different later, among other things) and worries were expressed that SHA-256 might be too slow. I think these benchmarks show that that slowness is not a real problem, so I think we should pick the right tool for the job rather than try to pick the fastest hash function. It wasn't a contest, just a test to see whether SHA-256 was within the realm of feasibility, performance-wise.
Roan
This post by Bruce Schneier on the subject of hash collision/preimage attacks has some resources on the state-of-the-art of this as of 2009 -- people have been worrying about this for some years.
http://www.schneier.com/blog/archives/2009/06/ever_better_cry.html
As far as I know, there are no viable _preimage_ attacks available now even for MD5, let alone SHA-1, but given the increasing value of keeping Wikipedia's assets secure, and that the computational cost of using a better hash is becoming more and more trivial as time progresses, it would be prudent to make plans now for eventually upgrading to a better hash function.
In an ideal world, both SHA-1 and SHA-2 could be supported by MediaWiki, with the choice of the hash being configurable by the site administrator, and the chosen hash algorithm name being stored with the hash value itself in the database, allowing smooth transition from the old to the new once the administrator decides to flip the switch to use the better hash. In the short run, the default could be set to SHA-1 for performance reasons, and SHA-2 used only by the paranoid; in the longer run, new releases of MediaWiki could be shipped with SHA-2 as the default.
-- Neil