In message <8581520D-6EBA-44E7-B311-82EF3155D1D0@shagadelic.org>, Jason Thorpe 
writes:
>
>On Jul 20, 2005, at 5:26 AM, Tonnerre wrote:
>
>> Don't allow MD5! Also, SHA1 is a candidate that shouldn't be  
>> trusted just
>> like this. Why?
>>
>>  - people might use it
>>  - people might decide to use it for security relevant functions
>>  - people are thereby prone to the typical MD5 bit flipping attacks  
>> et al.
>>
>> I'm talking myself blue in the face on that: Don't use md5.
>
>We're not talking about a digital signature algorithm here.  We're  
>simply talking about a checksum that can be used to ensure that the  
>bits on disk landed in memory correctly.  There is no reason to  
>disallow MD5 for this.
>

There's a subtle distinction here between a *safety* algorithm and a 
*security* algorithm.  The former deals with naturally-occuring 
failures; the latter deals with enemy action.  The two are not the 
same.  If I (and Jason) correctly understand Matt's question, we're 
talking about a safety algorithm.  MD5 is fine for that.  CRC32 is 
probably not, though -- the size of the kernel is such that the 
probability of an undetected error is too high.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb