-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Moin,
On Tuesday 23 January 2007 19:20, Mark Clements wrote:
"Tels" <nospam-abuse(a)bloodgate.com>
wrote in
message news:200701231852.29592@bloodgate.com...
What function you actually use for H(), may it be
MD5 or SHA1, is
practically irrelevant here, tho, but when you migrate to such a
scheme, you might as well use SHA256 instead of MD5 (even if it is just
to quiten all the "MD5 is insecure" cryers :)
In security, doing things because "you might as well" is an incredibly
bad idea! A security system should only be changed to be a _better_
security system (and even then after it has been proven to be better).
_Never_ because it's 'probably not worse'!
I agree with you in principle, but please note that I advocated the
switch "as well" because:
* SHA256 is generally considered a more secure hash (or it would be silly to
switch)
* after changing the core algorithm, you must evaluate the security of the
new system, so you might as well *consider* switching the hash function,
because then you need to do the switch only once and the evaluation only
once, too. You know, as to not having to redo this in a few months when the
next attack on MD5 comes (this time affecting your system)
Of course, you evaluation might also result in "there is no need to switch
anything".
Best wishes,
Tels
- --
Signed on Tue Jan 23 21:24:46 2007 with key 0x93B84C15.
View my photo gallery:
http://bloodgate.com/photos
PGP key on
http://bloodgate.com/tels.asc or per email.
"In 1988, Jack Thompson ran against Janet Reno for DA of Dade County:
Thompson's unique campaign message was that Reno was unfit for the job
because, as a closeted lesbian with a drinking problem, she was great
candidate for blackmail by the criminal element. Jack never explained
why this remained a threat even after he exposed her 'secret'. Reno
cruised at the polls."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRbZvwncLPEOTuEwVAQIynwf+MmY1t2EshWeGQjY/YhP6nHis6XiEkNvs
fk9iKXdoA9JmghXepVU5uZZ+Aetnw/C4RNkTnAzy3JX1lxeScxD7NXsr4tByFwru
2U7zj+DpmsEfzDiBhzCNZETkrnj4fVXs+knaTTxfQPv8WhhzWVARe1jKN8qBYdw2
DzuapzI2jEEejdrn+jD0P8OzA6SJvNvftoPvzB6WQoaR1RGTkNe8AkKd5HcAr7Kq
Qv/w/hu17FNnWaNzg11NJi+ujoKZcQXzPXVF+o5PyATMk6FqMG0tWeg2gKFz5cWz
vMtHGYwZu0Pt49Ad3i9+DbE1008DOsZhkRNpQ+ED6FbRyCqshZQyZQ==
=yP4d
-----END PGP SIGNATURE-----