According to a text in CryptoBytes (Vol 2 No 2, Summer 1996), 
MD5 is not the best solution for confirming the retrieved distfiles
match the original files. I suppose to use SHA1 instead of MD5,
since this algorithm seems to be more secure for a longer period
of time. By the way, OpenBSD people decided to use SHA1, too.


Dobbertin wrote:

| Conclusions
|
| The presented attack does not yet threaten practical applications of
| MD5, but it comes rather close. In view of the flexibility of the
| new analytic techniques it would be unwise to assume that the attack
| could not be improved. Ron Rivest [16] commented on the status of
| MD4, after two-round attacks had been found, that it is at the
| edge in terms of risking suc-cessful cryptanalytic attack. Today
| this assessment characterizes the status of MD5. Therefore we
| suggest that in the future MD5 should no longer be implemented in
| applications like signature schemes, where a collision-resistant
| hash function is required. According to our present knowledge,
| the best recommendations for alternatives to MD5 are SHA-1 and
| RIPEMD-160. If essentially weaker cryptographic properties than
| collision-resistance suffice then the use of MD5 might still be
| secure. MD5 can still be used as a one-way function. The HMAC due to
| Bellare, Canetti, and Krawczyk [3, 4] is not touched by the recent
| analytic progress. Future research should analyse hash functions
| with respect to properties like pseudo-random behaviour, which are
| required in message authentication constructions.


Why are we still using MD5? 


Regards,
Dominik

-- 
/*  Dominik Rothert         |           dr@astorit.com  *
 *  A S T O R I T           |  http://www.astorit.com/  *
 *  Hohenzollernring 52     |       fon +49-221-251440  *
 *  50672 Cologne, Germany  |       fax +49-221-251443  */:wq!