On 18/09/11 23:38, Roan Kattouw wrote:
On Mon, Sep 19, 2011 at 12:12 AM,
Anthony<wikimail(a)inbox.org> wrote:
Did you try any of the non-secure hash functions?
If you're going to
go with MD5, might as well go with the significantly faster CRC-64.
I included MD5 because MediaWiki currently uses it for some things,
and SHA-1 because it had been suggested in this discussion. I didn't
feel the need to include anything non-cryptographic because points
have been made that choosing a cryptographic hash function would be
wise (because the feature might be used for something different later,
among other things) and worries were expressed that SHA-256 might be
too slow. I think these benchmarks show that that slowness is not a
real problem, so I think we should pick the right tool for the job
rather than try to pick the fastest hash function. It wasn't a
contest, just a test to see whether SHA-256 was within the realm of
feasibility, performance-wise.
Roan
This post by Bruce Schneier on the subject of hash collision/preimage
attacks has some resources on the state-of-the-art of this as of 2009 --
people have been worrying about this for some years.
http://www.schneier.com/blog/archives/2009/06/ever_better_cry.html
As far as I know, there are no viable _preimage_ attacks available now
even for MD5, let alone SHA-1, but given the increasing value of keeping
Wikipedia's assets secure, and that the computational cost of using a
better hash is becoming more and more trivial as time progresses, it
would be prudent to make plans now for eventually upgrading to a better
hash function.
In an ideal world, both SHA-1 and SHA-2 could be supported by MediaWiki,
with the choice of the hash being configurable by the site
administrator, and the chosen hash algorithm name being stored with the
hash value itself in the database, allowing smooth transition from the
old to the new once the administrator decides to flip the switch to use
the better hash. In the short run, the default could be set to SHA-1 for
performance reasons, and SHA-2 used only by the paranoid; in the longer
run, new releases of MediaWiki could be shipped with SHA-2 as the default.
-- Neil